Partner/yap
12
0
Fork 0
Code Pull Requests Projects Releases Activity

Disable pwr protocols in bird and fix other shit.

Browse Source
This commit is contained in:
Brandon Cazander 2018-12-05 16:38:59 -08:00
parent a6468e9035
commit dd48794cbc
6 changed files with 33 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
salt/top.sls
View File

@ -1,2 +1,2 @@
'P@type:(aggregator|vxr)' 'P@type:(aggregator|vxr)':
- yap - yap

2
salt/yap/aggregator/init.sls
View File

@ -40,9 +40,11 @@ yap_service:
- name: yap.service - name: yap.service
- enable: True - enable: True
- restart: True - restart: True
- provider: systemd
yap_check_policy_rules_timer: yap_check_policy_rules_timer:
service.running: service.running:
- name: yap-check-policy-rules.timer - name: yap-check-policy-rules.timer
- enable: True - enable: True
- restart: True - restart: True
- provider: systemd

16
salt/yap/aggregator/yap_aggregator
View File

@ -141,6 +141,7 @@ EOF
fi fi
pwanbirdc - configure soft pwanbirdc - configure soft
disable_bird_protocols $space
} }
@ -241,12 +242,27 @@ function stop_unknown() {
} }
function disable_bird_protocols() {
args=$(check_args space,,$1) || return 1
eval $args
bird_version=$(bird --version |& cut -d ' ' -f 3)
if [[ $bird_version =~ ^2 ]] ; then
pwanbirdc - show protocols| grep -e "^spc${space}_pwr" | cut -d ' ' -f1 | xargs -l pwanbirdc - disable
else
pwanbirdc $space show protocols | grep -e '^pwr' | cut -d ' ' -f1 | xargs -l pwanbirdc pwan disable
fi
}
function check_policy_rules() { function check_policy_rules() {
for space in "${!SPACES[@]}" ; do for space in "${!SPACES[@]}" ; do
set -- ${SPACES[$space]} set -- ${SPACES[$space]}
space_id=$1 space_id=$1
table_id=$(get_table_id $space_id) table_id=$(get_table_id $space_id)
disable_bird_protocols $space
if ! ip rule | grep -qe "iif vl-$space" ; then if ! ip rule | grep -qe "iif vl-$space" ; then
if ip link show dev vl-$space > /dev/null 2>&1 ; then if ip link show dev vl-$space > /dev/null 2>&1 ; then
echo "Adding missing ip rule for $space" echo "Adding missing ip rule for $space"

4
salt/yap/vxr/init.sls
View File

@ -15,6 +15,10 @@ bird:
- enable: True - enable: True
- restart: True - restart: True
iptables:
pkg.installed:
- refresh: false
nftables: nftables:
pkg.installed: pkg.installed:
- refresh: false - refresh: false

10
salt/yap/vxr/yap_vxr
View File

@ -148,6 +148,12 @@ function start_firewall() {
for host in $VXLAN_PEERS ; do for host in $VXLAN_PEERS ; do
mesh_hosts="${mesh_hosts} ${host}," mesh_hosts="${mesh_hosts} ${host},"
done done
if [ ! -z "$admin_hosts" ] ; then
admin_hosts="ip saddr {$admin_hosts} jump input-admin"
fi
if [ ! -z "$mesh_hosts" ] ; then
mesh_hosts="ip saddr {$mesh_hosts} jump input-mesh"
fi
tmp=$(mktemp) tmp=$(mktemp)
cat <<EOF > $tmp cat <<EOF > $tmp
flush ruleset flush ruleset
@ -172,14 +178,14 @@ table inet filter {
ip6 nexthdr icmpv6 accept ip6 nexthdr icmpv6 accept
# Mesh hosts # Mesh hosts
ip saddr {$mesh_hosts} jump input-mesh $mesh_hosts
# Backhaul # Backhaul
iifname "vl-*" jump input-backhaul iifname "vl-*" jump input-backhaul
iifname "vx-*" jump input-backhaul iifname "vx-*" jump input-backhaul
# Allow administrative hosts # Allow administrative hosts
ip saddr {$admin_hosts} jump input-admin $admin_hosts
# Reject # Reject
reject with icmpx type admin-prohibited reject with icmpx type admin-prohibited

3
yap
View File

@ -415,7 +415,7 @@ function salt_exec() {
nodelist="$1" nodelist="$1"
shift shift
salt -C "$$nodelist" $@ salt -C "$nodelist" "$@"
} }
@ -713,6 +713,7 @@ function vxr_add() {
# Additional apply for authorized keys, etc. # Additional apply for authorized keys, etc.
salt $vxr state.apply ||: salt $vxr state.apply ||:
salt_exec $(get_vxr_nodelist) service.restart yap-firewall ||:
salt_exec $(get_vxr_nodelist) service.restart yap ||: salt_exec $(get_vxr_nodelist) service.restart yap ||:
vxr_show $vxr vxr_show $vxr