IP Route¶
Installation¶
apt install iproute2
Tabellen¶
Wir ergänzen die Datei /etc/iproute2/rt_tables mit unseren Routing Tabellen.
#
# icvpn table
23 icvpn
#
# local community table
41 ffhf
#
# internet exit table
61 ffinetexit
Wie zu erkennen ist verwenden wir 3 Routing Tabellen:
icvpn (wird dynamisch über BGP gefüllt)
ffhf (enthält statische Routen der Community-Netze)
ffinetexit (enthält Routen für den Internet-Verkehr)
Regeln und Routen¶
Vor dem Eintrag exit 0 in der Datei /etc/rc.local fügen wir die Regeln und Routen ein, dass sollte dann in etwa so aussehen.
Vorsicht
Die letzte Zeile der Datei muss exit 0 beinhalten!
#!/bin/sh -e
# This file is managed by Salt, do not edit.
#
# -e file
# True if file exists.
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
# IP rules
#
# von https://gluon-gateway-doku.readthedocs.org/de/latest/configuration/policyrouting.html
# Wie zu erkennen ist verwenden wir 3 Routing Tabellen:
#
# icvpn (wird dynamisch über BGP gefüllt)
# ffhf (enthält statische Routen der Community-Netze)
# ffinetexit (enthält Routen für den Internet-Verkehr)
#
# lookup rt_table ffhf for all incoming traffic of freifunk related interfaces
ip -4 rule add from all iif {{ bridge }} lookup ffhf priority 7
# ip -4 rule add from all iif {{ intercity }} lookup ffhf priority 7
ip -4 rule add from all iif {{ exit }} lookup ffhf priority 7
ip -6 rule add from all iif {{ bridge }} lookup ffhf priority 7
# ip -6 rule add from all iif {{ intercity }} lookup ffhf priority 7
ip -6 rule add from all iif {{ exit }} lookup ffhf priority 7
#
# lookup rt_table icvpn for all incoming traffic of freifunk bridges
# ip -4 rule add from all iif {{ bridge }} lookup icvpn priority 23
# ip -6 rule add from all iif {{ bridge }} lookup icvpn priority 23
#
# lookup rt_table ffinetexit for all incoming traffic of freifunk bridges
ip -4 rule add from all iif {{ bridge }} lookup ffinetexit priority 41
ip -6 rule add from all iif {{ bridge }} lookup ffinetexit priority 41
#
# at this point this is the end of policy routing for freifunk related routes
ip -4 rule add from all iif {{ bridge }} type unreachable priority 61
ip -4 rule add from all iif {{ exit }} type unreachable priority 61
# ip -4 rule add from all iif {{ intercity }} type unreachable priority 61
ip -4 rule add from all iif {{ primary }} type unreachable priority 61
ip -6 rule add from all iif {{ bridge }} type unreachable priority 61
ip -6 rule add from all iif {{ exit }} type unreachable priority 61
# ip -6 rule add from all iif {{ intercity }} type unreachable priority 61
ip -6 rule add from all iif {{ primary }} type unreachable priority 61
#
# lookup policies for the gateway host self originating traffic
ip -4 rule add from all lookup ffhf priority 107
# ip -4 rule add from all lookup icvpn priority 107
ip -6 rule add from all lookup ffhf priority 107
# ip -6 rule add from all lookup icvpn priority 107
#
# IP routes
#
# Zusätzlich zu den IP Rules befüllen wir über das rc.local-Script auch die Routing-Tabellen ffhf und ffinetexit mit den nötigen statischen Routen:
#
# static herford routes for rt_table ffhf
ip -4 route add 10.34.0.0/16 proto static dev {{ bridge }} table ffhf # Todo: Add Variable
ip -6 route add fdf3:2049:5152::/48 proto static dev {{ bridge }} table ffhf # Todo: Add variable
{% if pillar['exit']['type'] != 'gre' %}
#
# unreachable routes for rt_table ffinetexit
ip -4 route add unreachable default table ffinetexit
ip -6 route add unreachable default table ffinetexit
{% endif %}
{% if pillar['network']['mesh']['hwaddress'] is defined %}
if [ -f /bin/systemctl ]; then
if [ "$(systemctl status alfred | grep -E 'Active: inactive|Active: failed')" ]; then
systemctl restart fastd
sleep 3
systemctl restart alfred
fi
else
if [ "$(service alfred status | grep stop)" ]; then
service fastd restart
sleep 3
service alfred restart
fi
fi
{% endif %}
exit 0
Todo: Den Krams in Interfaces mir reinpacken und rauf- und runterfahren mit dem Interface?
Weitere Informationen¶
Policy Routing Anleitung vom Freifunk Mainz, Wiesbaden & Umgebung
Salt State File¶
iproute2.sls
# IP Route
{% set iproute = salt['grains.filter_by']({
'Debian': {'pkg': 'iproute2'},
}, default='Debian') %}
{{ iproute.pkg }}:
pkg.installed:
- name: {{ iproute.pkg }}
# ip route consults /etc/iproute2/rt_tables for a table identifier.
# If it finds no identifier, it complains that it cannot find a reference to such a table.
# If a table identifier is found, then the corresponding routing table is displayed.
/etc/iproute2/rt_tables:
file.append:
- name: /etc/iproute2/rt_tables
- text: |
#
# icvpn table
23 icvpn
#
# local community table
41 ffhf
#
# internet exit table
61 ffinetexit
# should be put in interfaces
# pre-up
# up
# post-down
# down
/etc/rc.local-init:
cmd.run:
- name: sh /etc/rc.local
# - unless: test -n "$(ip rule show table all | grep ffhf)"
- require:
- file: /etc/rc.local
- onchanges:
- file: /etc/rc.local
/etc/rc.local:
file.managed:
- name: /etc/rc.local
- source: salt://gateway/etc/rc.local
- mode: 755
- template: jinja
- defaults:
primary: {{ pillar['network']['primary']['interface'] }}
bridge: {{ pillar['network']['bridge']['interface'] }}
exit: {{ pillar['network']['exit']['interface'] }}
intercity: {{ pillar['network']['intercity']['interface'] }}
{% if grains['os_family'] == 'Debian' and grains['init'] == 'systemd' %}
{% set rclocal = salt['grains.filter_by']({
'Debian': {'pkg': 'rc-local', 'srv': 'rc-local'},
}, default='Debian') %}
{{ rclocal.srv }}:
service.enabled:
- name: {{ rclocal.srv }}
- enable: True
{% endif %}