From 5c7e8139c026b2ad92e61f14c63222a97ad81f68 Mon Sep 17 00:00:00 2001 From: Astro Date: Tue, 29 Nov 2016 21:49:52 +0100 Subject: [PATCH] add multiple ipv6 upstream mechanisms (6to4, slac) --- salt-pillar/upstream/anon1.sls | 1 + salt-pillar/upstream/upstream1.sls | 1 + salt-pillar/upstream/upstream2.sls | 1 + salt/forwarding/init.sls | 2 +- salt/top.sls | 9 ++++++++- salt/upstream/6slac.conf | 1 + salt/upstream/6slac.sls | 15 +++++++++++++++ salt/upstream/6to4-down | 3 +++ salt/upstream/6to4-up | 11 +++++++++++ salt/upstream/6to4.sls | 17 +++++++++++++++++ salt/upstream/nat66 | 5 +++++ salt/upstream/nat66.sls | 11 +++++++++++ 12 files changed, 75 insertions(+), 2 deletions(-) create mode 100644 salt/upstream/6slac.conf create mode 100644 salt/upstream/6slac.sls create mode 100644 salt/upstream/6to4-down create mode 100644 salt/upstream/6to4-up create mode 100644 salt/upstream/6to4.sls create mode 100644 salt/upstream/nat66 create mode 100644 salt/upstream/nat66.sls diff --git a/salt-pillar/upstream/anon1.sls b/salt-pillar/upstream/anon1.sls index 4b7e1fc..98d70c4 100644 --- a/salt-pillar/upstream/anon1.sls +++ b/salt-pillar/upstream/anon1.sls @@ -1,5 +1,6 @@ upstream: interface: ipredator + nat66-interface: ipredator up-bandwidth: 4000 flow-keys: nfct-src flows: 4096 diff --git a/salt-pillar/upstream/upstream1.sls b/salt-pillar/upstream/upstream1.sls index f1ae4f6..6085cbb 100644 --- a/salt-pillar/upstream/upstream1.sls +++ b/salt-pillar/upstream/upstream1.sls @@ -1,5 +1,6 @@ upstream: interface: up1 + nat66-interface: 6to4 up-bandwidth: 6200 flow-keys: nfct-src flows: 2048 diff --git a/salt-pillar/upstream/upstream2.sls b/salt-pillar/upstream/upstream2.sls index 36a51fd..8863198 100644 --- a/salt-pillar/upstream/upstream2.sls +++ b/salt-pillar/upstream/upstream2.sls @@ -1,5 +1,6 @@ upstream: interface: up2 + nat66-interface: 6to4 up-bandwidth: 6200 flow-keys: nfct-src flows: 2048 diff --git a/salt/forwarding/init.sls b/salt/forwarding/init.sls index ed4e707..3b21fbe 100644 --- a/salt/forwarding/init.sls +++ b/salt/forwarding/init.sls @@ -5,7 +5,7 @@ procps: file.managed: - source: "salt://forwarding/forwarding.conf" -apply: +apply-forwarding: cmd.run: - name: sysctl -p /etc/sysctl.d/80-forwarding.conf require: diff --git a/salt/top.sls b/salt/top.sls index b256aa0..8f1a901 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -15,9 +15,15 @@ base: - no-ssh - forwarding - ospf + - unbound - upstream.dhcp - upstream.shaping - - unbound + 'upstream1': + - upstream.6to4 + - upstream.nat66 + 'upstream2': + - upstream.6slac + - upstream.nat66 'anon*': - no-ssh - forwarding @@ -25,3 +31,4 @@ base: - vpn.openvpn - upstream.masquerade - upstream.shaping + - upstream.nat66 diff --git a/salt/upstream/6slac.conf b/salt/upstream/6slac.conf new file mode 100644 index 000000000..42ac1e8 --- /dev/null +++ b/salt/upstream/6slac.conf @@ -0,0 +1 @@ +net.ipv6.conf.{{ interface }}.accept_ra=2 diff --git a/salt/upstream/6slac.sls b/salt/upstream/6slac.sls new file mode 100644 index 000000000..75a7c34 --- /dev/null +++ b/salt/upstream/6slac.sls @@ -0,0 +1,15 @@ +{%- set interface = pillar['upstream']['interface'] %} + +/etc/sysctl.d/70-upstream-6slac.conf: + file.managed: + - source: "salt://upstream/6slac.conf" + - template: 'jinja' + - context: + interface: {{ interface }} + +apply-6slac: + cmd.run: + - name: sysctl -p /etc/sysctl.d/70-upstream-6slac.conf + require: + - file: /etc/sysctl.d/70-upstream-6slac.conf + - pkg: procps diff --git a/salt/upstream/6to4-down b/salt/upstream/6to4-down new file mode 100644 index 000000000..9f03887 --- /dev/null +++ b/salt/upstream/6to4-down @@ -0,0 +1,3 @@ +#!/bin/sh + +ip tunnel del 6to4 diff --git a/salt/upstream/6to4-up b/salt/upstream/6to4-up new file mode 100644 index 000000000..a450ae7 --- /dev/null +++ b/salt/upstream/6to4-up @@ -0,0 +1,11 @@ +#!/bin/sh + +INET=$(ip addr show dev {{ interface }} | \ + egrep -oe '[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+' | \ + head -n 1) +PREFIX=$(printf "2002:%02x%02x:%02x%02x:\n" $(echo $INET | tr . ' ')) + +ip tunnel add 6to4 mode sit remote 192.88.99.1 local $INET +ip addr add "${PREFIX}:1/128" dev 6to4 +ip link set 6to4 up +ip route add 2000::/3 dev 6to4 via ::192.88.99.1 diff --git a/salt/upstream/6to4.sls b/salt/upstream/6to4.sls new file mode 100644 index 000000000..9164585 --- /dev/null +++ b/salt/upstream/6to4.sls @@ -0,0 +1,17 @@ +{%- set interface = pillar['upstream']['interface'] %} + +/etc/network/if-up.d/6to4: + file.managed: + - source: salt://upstream/6to4-up + - template: 'jinja' + - context: + interface: {{ interface }} + - mode: 755 + +/etc/network/if-down.d/6to4: + file.managed: + - source: salt://upstream/6to4-down + - template: 'jinja' + - context: + interface: {{ interface }} + - mode: 755 diff --git a/salt/upstream/nat66 b/salt/upstream/nat66 new file mode 100644 index 000000000..b6b4915 --- /dev/null +++ b/salt/upstream/nat66 @@ -0,0 +1,5 @@ +#!/bin/sh + +if [ "$IFACE" = "{{ interface }}" ]; then + ip6tables -t nat -A POSTROUTING -o "$IFACE" -j MASQUERADE +fi diff --git a/salt/upstream/nat66.sls b/salt/upstream/nat66.sls new file mode 100644 index 000000000..9499468 --- /dev/null +++ b/salt/upstream/nat66.sls @@ -0,0 +1,11 @@ +{%- set interface = pillar['upstream']['nat66-interface'] %} + +/etc/network/if-pre-up.d/nat66: + file.managed: + - source: salt://upstream/nat66 + - template: 'jinja' + - context: + interface: {{ interface }} + - mode: 755 + - require: + - pkg: iptables