diff --git a/salt/top.sls b/salt/top.sls index 35ff632..27b59a9 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -1,2 +1,2 @@ - 'P@type:(aggregator|vxr)' + 'P@type:(aggregator|vxr)': - yap diff --git a/salt/yap/aggregator/init.sls b/salt/yap/aggregator/init.sls index 8bd6925..90e601c 100644 --- a/salt/yap/aggregator/init.sls +++ b/salt/yap/aggregator/init.sls @@ -40,9 +40,11 @@ yap_service: - name: yap.service - enable: True - restart: True + - provider: systemd yap_check_policy_rules_timer: service.running: - name: yap-check-policy-rules.timer - enable: True - restart: True + - provider: systemd diff --git a/salt/yap/aggregator/yap_aggregator b/salt/yap/aggregator/yap_aggregator index 43822e7..76a0935 100755 --- a/salt/yap/aggregator/yap_aggregator +++ b/salt/yap/aggregator/yap_aggregator @@ -141,6 +141,7 @@ EOF fi pwanbirdc - configure soft + disable_bird_protocols $space } @@ -241,12 +242,27 @@ function stop_unknown() { } +function disable_bird_protocols() { + args=$(check_args space,,$1) || return 1 + eval $args + + bird_version=$(bird --version |& cut -d ' ' -f 3) + if [[ $bird_version =~ ^2 ]] ; then + pwanbirdc - show protocols| grep -e "^spc${space}_pwr" | cut -d ' ' -f1 | xargs -l pwanbirdc - disable + else + pwanbirdc $space show protocols | grep -e '^pwr' | cut -d ' ' -f1 | xargs -l pwanbirdc pwan disable + fi +} + + function check_policy_rules() { for space in "${!SPACES[@]}" ; do set -- ${SPACES[$space]} space_id=$1 table_id=$(get_table_id $space_id) + disable_bird_protocols $space + if ! ip rule | grep -qe "iif vl-$space" ; then if ip link show dev vl-$space > /dev/null 2>&1 ; then echo "Adding missing ip rule for $space" diff --git a/salt/yap/vxr/init.sls b/salt/yap/vxr/init.sls index 3a347e0..552d1f0 100644 --- a/salt/yap/vxr/init.sls +++ b/salt/yap/vxr/init.sls @@ -15,6 +15,10 @@ bird: - enable: True - restart: True +iptables: + pkg.installed: + - refresh: false + nftables: pkg.installed: - refresh: false diff --git a/salt/yap/vxr/yap_vxr b/salt/yap/vxr/yap_vxr index 84d65d9..4a97b36 100755 --- a/salt/yap/vxr/yap_vxr +++ b/salt/yap/vxr/yap_vxr @@ -148,6 +148,12 @@ function start_firewall() { for host in $VXLAN_PEERS ; do mesh_hosts="${mesh_hosts} ${host}," done + if [ ! -z "$admin_hosts" ] ; then + admin_hosts="ip saddr {$admin_hosts} jump input-admin" + fi + if [ ! -z "$mesh_hosts" ] ; then + mesh_hosts="ip saddr {$mesh_hosts} jump input-mesh" + fi tmp=$(mktemp) cat < $tmp flush ruleset @@ -172,14 +178,14 @@ table inet filter { ip6 nexthdr icmpv6 accept # Mesh hosts - ip saddr {$mesh_hosts} jump input-mesh + $mesh_hosts # Backhaul iifname "vl-*" jump input-backhaul iifname "vx-*" jump input-backhaul # Allow administrative hosts - ip saddr {$admin_hosts} jump input-admin + $admin_hosts # Reject reject with icmpx type admin-prohibited diff --git a/yap b/yap index 5d67992..b410c64 100755 --- a/yap +++ b/yap @@ -415,7 +415,7 @@ function salt_exec() { nodelist="$1" shift - salt -C "$$nodelist" $@ + salt -C "$nodelist" "$@" } @@ -713,6 +713,7 @@ function vxr_add() { # Additional apply for authorized keys, etc. salt $vxr state.apply ||: + salt_exec $(get_vxr_nodelist) service.restart yap-firewall ||: salt_exec $(get_vxr_nodelist) service.restart yap ||: vxr_show $vxr