Disable pwr protocols in bird and fix other shit.

2018-12-05 16:38:59 -08:00 · 2018-12-05 16:38:59 -08:00 · dd48794cbc
commit dd48794cbc
parent a6468e9035
6 changed files with 33 additions and 4 deletions
--- a/salt/top.sls
+++ b/salt/top.sls
@ -1,2 +1,2 @@
-  'P@type:(aggregator|vxr)'
+  'P@type:(aggregator|vxr)':
    - yap
--- a/salt/yap/aggregator/init.sls
+++ b/salt/yap/aggregator/init.sls
@ -40,9 +40,11 @@ yap_service:
    - name: yap.service
    - enable: True
    - restart: True
+    - provider: systemd

 yap_check_policy_rules_timer:
  service.running:
    - name: yap-check-policy-rules.timer
    - enable: True
    - restart: True
+    - provider: systemd
--- a/salt/yap/aggregator/yap_aggregator
+++ b/salt/yap/aggregator/yap_aggregator
@ -141,6 +141,7 @@ EOF
    fi

    pwanbirdc - configure soft
+    disable_bird_protocols $space

 }

@ -241,12 +242,27 @@ function stop_unknown() {
 }


+function disable_bird_protocols() {
+    args=$(check_args space,,$1) || return 1
+    eval $args
+
+    bird_version=$(bird --version |& cut -d ' ' -f 3)
+    if [[ $bird_version =~ ^2 ]] ; then
+        pwanbirdc - show protocols| grep -e "^spc${space}_pwr" | cut -d ' ' -f1 | xargs -l pwanbirdc - disable
+    else
+        pwanbirdc $space show protocols | grep -e '^pwr' | cut -d ' ' -f1 | xargs -l pwanbirdc pwan disable
+    fi
+}
+
+
 function check_policy_rules() {
    for space in "${!SPACES[@]}" ; do
        set -- ${SPACES[$space]}
        space_id=$1
        table_id=$(get_table_id $space_id)

+        disable_bird_protocols $space
+
        if ! ip rule | grep -qe "iif vl-$space" ; then
            if ip link show dev vl-$space > /dev/null 2>&1 ; then
                echo "Adding missing ip rule for $space"
--- a/salt/yap/vxr/init.sls
+++ b/salt/yap/vxr/init.sls
@ -15,6 +15,10 @@ bird:
    - enable: True
    - restart: True

+iptables:
+  pkg.installed:
+    - refresh: false
+
 nftables:
  pkg.installed:
    - refresh: false
--- a/salt/yap/vxr/yap_vxr
+++ b/salt/yap/vxr/yap_vxr
@ -148,6 +148,12 @@ function start_firewall() {
    for host in $VXLAN_PEERS ; do
        mesh_hosts="${mesh_hosts} ${host},"
    done
+    if [ ! -z "$admin_hosts" ] ; then
+        admin_hosts="ip saddr {$admin_hosts} jump input-admin"
+    fi
+    if [ ! -z "$mesh_hosts" ] ; then
+        mesh_hosts="ip saddr {$mesh_hosts} jump input-mesh"
+    fi
    tmp=$(mktemp)
    cat <<EOF > $tmp
 flush ruleset
@ -172,14 +178,14 @@ table inet filter {
        ip6 nexthdr icmpv6 accept

        # Mesh hosts
-        ip saddr {$mesh_hosts} jump input-mesh
+        $mesh_hosts

        # Backhaul
        iifname "vl-*" jump input-backhaul
        iifname "vx-*" jump input-backhaul

        # Allow administrative hosts
-        ip saddr {$admin_hosts} jump input-admin
+        $admin_hosts

        # Reject
        reject with icmpx type admin-prohibited
--- a/3
+++ b/3
@ -415,7 +415,7 @@ function salt_exec() {
    nodelist="$1"
    shift

-    salt -C "$$nodelist" $@
+    salt -C "$nodelist" "$@"
 }


@ -713,6 +713,7 @@ function vxr_add() {
    # Additional apply for authorized keys, etc.
    salt $vxr state.apply ||:

+    salt_exec $(get_vxr_nodelist) service.restart yap-firewall ||:
    salt_exec $(get_vxr_nodelist) service.restart yap ||:

    vxr_show $vxr