add multiple ipv6 upstream mechanisms (6to4, slac)

2016-11-29 21:49:52 +01:00 · 2016-11-29 21:49:52 +01:00 · 5c7e8139c0
parent 420dbea8d1
commit 5c7e8139c0
12 changed files with 75 additions and 2 deletions
--- a/salt-pillar/upstream/anon1.sls
+++ b/salt-pillar/upstream/anon1.sls
@ -1,5 +1,6 @@
 upstream:
  interface: ipredator
+  nat66-interface: ipredator
  up-bandwidth: 4000
  flow-keys: nfct-src
  flows: 4096
--- a/salt-pillar/upstream/upstream1.sls
+++ b/salt-pillar/upstream/upstream1.sls
@ -1,5 +1,6 @@
 upstream:
  interface: up1
+  nat66-interface: 6to4
  up-bandwidth: 6200
  flow-keys: nfct-src
  flows: 2048
--- a/salt-pillar/upstream/upstream2.sls
+++ b/salt-pillar/upstream/upstream2.sls
@ -1,5 +1,6 @@
 upstream:
  interface: up2
+  nat66-interface: 6to4
  up-bandwidth: 6200
  flow-keys: nfct-src
  flows: 2048
--- a/salt/forwarding/init.sls
+++ b/salt/forwarding/init.sls
@ -5,7 +5,7 @@ procps:
  file.managed:
    - source: "salt://forwarding/forwarding.conf"

-apply:
+apply-forwarding:
  cmd.run:
    - name: sysctl -p /etc/sysctl.d/80-forwarding.conf
      require:
--- a/salt/top.sls
+++ b/salt/top.sls
@ -15,9 +15,15 @@ base:
    - no-ssh
    - forwarding
    - ospf
+    - unbound
    - upstream.dhcp
    - upstream.shaping
-    - unbound
+  'upstream1':
+    - upstream.6to4
+    - upstream.nat66
+  'upstream2':
+    - upstream.6slac
+    - upstream.nat66
  'anon*':
    - no-ssh
    - forwarding
@ -25,3 +31,4 @@ base:
    - vpn.openvpn
    - upstream.masquerade
    - upstream.shaping
+    - upstream.nat66
--- a/salt/upstream/6slac.conf
+++ b/salt/upstream/6slac.conf
@ -0,0 +1 @@
+net.ipv6.conf.{{ interface }}.accept_ra=2
--- a/salt/upstream/6slac.sls
+++ b/salt/upstream/6slac.sls
@ -0,0 +1,15 @@
+{%- set interface = pillar['upstream']['interface'] %}
+
+/etc/sysctl.d/70-upstream-6slac.conf:
+  file.managed:
+    - source: "salt://upstream/6slac.conf"
+    - template: 'jinja'
+    - context:
+        interface: {{ interface }}
+
+apply-6slac:
+  cmd.run:
+    - name: sysctl -p /etc/sysctl.d/70-upstream-6slac.conf
+      require:
+        - file: /etc/sysctl.d/70-upstream-6slac.conf
+        - pkg: procps
--- a/salt/upstream/6to4-down
+++ b/salt/upstream/6to4-down
@ -0,0 +1,3 @@
+#!/bin/sh
+
+ip tunnel del 6to4
--- a/salt/upstream/6to4-up
+++ b/salt/upstream/6to4-up
@ -0,0 +1,11 @@
+#!/bin/sh
+
+INET=$(ip addr show dev {{ interface }} | \
+    egrep -oe '[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+' | \
+    head -n 1)
+PREFIX=$(printf "2002:%02x%02x:%02x%02x:\n" $(echo $INET | tr . ' '))
+
+ip tunnel add 6to4 mode sit remote 192.88.99.1 local $INET
+ip addr add "${PREFIX}:1/128" dev 6to4
+ip link set 6to4 up
+ip route add 2000::/3 dev 6to4 via ::192.88.99.1
--- a/salt/upstream/6to4.sls
+++ b/salt/upstream/6to4.sls
@ -0,0 +1,17 @@
+{%- set interface = pillar['upstream']['interface'] %}
+
+/etc/network/if-up.d/6to4:
+  file.managed:
+    - source: salt://upstream/6to4-up
+    - template: 'jinja'
+    - context:
+        interface: {{ interface }}
+    - mode: 755
+
+/etc/network/if-down.d/6to4:
+  file.managed:
+    - source: salt://upstream/6to4-down
+    - template: 'jinja'
+    - context:
+        interface: {{ interface }}
+    - mode: 755
--- a/salt/upstream/nat66
+++ b/salt/upstream/nat66
@ -0,0 +1,5 @@
+#!/bin/sh
+
+if [ "$IFACE" = "{{ interface }}" ]; then
+   ip6tables -t nat -A POSTROUTING -o "$IFACE" -j MASQUERADE
+fi
--- a/salt/upstream/nat66.sls
+++ b/salt/upstream/nat66.sls
@ -0,0 +1,11 @@
+{%- set interface = pillar['upstream']['nat66-interface'] %}
+
+/etc/network/if-pre-up.d/nat66:
+  file.managed:
+    - source: salt://upstream/nat66
+    - template: 'jinja'
+    - context:
+        interface: {{ interface }}
+    - mode: 755
+    - require:
+        - pkg: iptables