From 237a47b4f397593a3296d4e0392164d6d492ff95 Mon Sep 17 00:00:00 2001
From: Jeltz <jeltz@auro.re>
Date: Thu, 13 Jan 2022 14:51:23 +0100
Subject: [PATCH] Add conntrackd role

---
 playbooks/router.yml                          |  66 +++++++++
 roles/conntrackd/defaults/main.yml            |  13 ++
 roles/conntrackd/handlers/main.yml            |   6 +
 roles/conntrackd/tasks/main.yml               |  29 ++++
 roles/conntrackd/templates/conntrackd.conf.j2 |  53 +++++++
 roles/conntrackd/templates/conntrackd_vrrp.j2 | 129 ++++++++++++++++++
 6 files changed, 296 insertions(+)
 create mode 100644 roles/conntrackd/defaults/main.yml
 create mode 100644 roles/conntrackd/handlers/main.yml
 create mode 100644 roles/conntrackd/tasks/main.yml
 create mode 100644 roles/conntrackd/templates/conntrackd.conf.j2
 create mode 100644 roles/conntrackd/templates/conntrackd_vrrp.j2

diff --git a/playbooks/router.yml b/playbooks/router.yml
index 2608bc6..7b1b9bd 100755
--- a/playbooks/router.yml
+++ b/playbooks/router.yml
@@ -111,6 +111,72 @@
   roles:
     - keepalived
 
+- hosts:
+    - infra-1.router.auro.re
+  vars:
+    conntrackd_ignore_addrs_ipv6:
+      - ::/128
+      - 2a09:6840:111:0:10::/64
+      - 2a09:6840:128:0:16::/64
+      - 2a09:6840:129:0:245::/64
+      - 2a09:6840:129:0:246::/64
+      - 2a09:6840:130:0:185::/64
+      - 2a09:6840:131:0:248::/64
+      - 2a09:6840:133:0:1::/64
+      - 2a09:6840:134:0:1::/64
+      - 2a09:6840:135:0:1::/64
+      - 2a09:6840:135:0:2::/64
+    conntrackd_ignore_addrs_ipv4:
+      - 127.0.0.1/8
+      - 45.66.111.10
+      - 10.128.0.16
+      - 10.129.0.245
+      - 10.129.0.246
+      - 10.130.0.185
+      - 10.131.0.248
+      - 10.133.0.1
+      - 10.134.0.1
+      - 10.135.0.1
+      - 10.135.0.2
+    conntrackd_udp_dest_ipv6: 10.129.0.246
+    conntrackd_udp_listen_ipv6: 10.129.0.245
+    conntrackd_udp_iface: vlan129
+  roles:
+    - conntrackd
+
+- hosts:
+    - infra-2.router.auro.re
+  vars:
+    conntrackd_ignore_addrs_ipv6:
+      - ::/128
+      - 2a09:6840:111:0:10::/64
+      - 2a09:6840:128:0:16::/64
+      - 2a09:6840:129:0:245::/64
+      - 2a09:6840:129:0:246::/64
+      - 2a09:6840:130:0:185::/64
+      - 2a09:6840:131:0:248::/64
+      - 2a09:6840:133:0:1::/64
+      - 2a09:6840:134:0:1::/64
+      - 2a09:6840:135:0:1::/64
+      - 2a09:6840:135:0:2::/64
+    conntrackd_ignore_addrs_ipv4:
+      - 127.0.0.1/8
+      - 45.66.111.10
+      - 10.128.0.16
+      - 10.129.0.245
+      - 10.129.0.246
+      - 10.130.0.185
+      - 10.131.0.248
+      - 10.133.0.1
+      - 10.134.0.1
+      - 10.135.0.1
+      - 10.135.0.2
+    conntrackd_udp_dest_ipv6: 10.129.0.245
+    conntrackd_udp_listen_ipv6: 10.129.0.246
+    conntrackd_udp_iface: vlan129
+  roles:
+    - conntrackd
+
 - hosts:
     - infra-1.router.auro.re
     - infra-2.router.auro.re
diff --git a/roles/conntrackd/defaults/main.yml b/roles/conntrackd/defaults/main.yml
new file mode 100644
index 0000000..8165c05
--- /dev/null
+++ b/roles/conntrackd/defaults/main.yml
@@ -0,0 +1,13 @@
+---
+conntrackd_hash_size: 8192
+conntrackd_hash_limit: 65535
+conntrackd_socket_buffer_size: 262142
+conntrackd_socket_buffer_size_max: 655355
+conntrackd_ignore_addrs_ipv6: []
+conntrackd_ignore_addrs_ipv4: [] 
+conntrackd_ftfw_commit_timeout: 1800
+conntrackd_ftfw_purge_timeout: 5
+conntrackd_udp_listen_port: 3780
+conntrackd_udp_send_buffer: 1249280
+conntrackd_udp_receive_buffer: 1249280
+...
diff --git a/roles/conntrackd/handlers/main.yml b/roles/conntrackd/handlers/main.yml
new file mode 100644
index 0000000..afdd941
--- /dev/null
+++ b/roles/conntrackd/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart conntrackd
+  systemd:
+    name: conntrackd
+    state: restarted
+...
diff --git a/roles/conntrackd/tasks/main.yml b/roles/conntrackd/tasks/main.yml
new file mode 100644
index 0000000..c34f5ba
--- /dev/null
+++ b/roles/conntrackd/tasks/main.yml
@@ -0,0 +1,29 @@
+---
+- name: Install conntrackd
+  apt:
+    name: conntrackd
+
+- name: Configure conntrackd
+  template:
+    src: conntrackd.conf.j2
+    dest: /etc/conntrackd/conntrackd.conf
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify:
+    - Restart conntrackd
+
+- name: Install conntrackd_vrrp script
+  template:
+    src: conntrackd_vrrp.j2
+    dest: /usr/local/sbin/conntrackd_vrrp
+    owner: root
+    group: root
+    mode: u=rwx,g=r,o=r
+
+- name: Enable and start conntrackd
+  systemd:
+    name: conntrackd
+    enabled: true
+    state: started
+...
diff --git a/roles/conntrackd/templates/conntrackd.conf.j2 b/roles/conntrackd/templates/conntrackd.conf.j2
new file mode 100644
index 0000000..d482c0d
--- /dev/null
+++ b/roles/conntrackd/templates/conntrackd.conf.j2
@@ -0,0 +1,53 @@
+{{ ansible_managed | comment}}
+
+General {
+	HashSize {{ conntrackd_hash_size }}
+	HashLimit {{ conntrackd_hash_limit }}
+
+	Syslog on
+
+	LockFile /var/log/conntrackd.lock
+
+	UNIX {
+		Path /var/run/conntrackd.sock
+	}
+
+	SocketBufferSize {{ conntrackd_socket_buffer_size }}
+	SocketBufferSizeMaxGrown {{ conntrackd_socket_buffer_size_max }}
+
+	Systemd on
+
+	Filter From Userspace {
+		Protocol Accept {
+			TCP
+			UDP
+		}
+		Address Ignore {
+{% for addr in conntrackd_ignore_addrs_ipv6 %}
+			IPv6_address {{ addr }}
+{% endfor %}
+{% for addr in conntrackd_ignore_addrs_ipv4 %}
+			IPv4_address {{ addr }}
+{% endfor %}
+		}
+	}
+}
+
+Sync {
+	Mode FTFW {
+		DisableExternalCache off
+		StartupResync on
+		CommitTimeout {{ conntrackd_ftfw_commit_timeout }}
+		PurgeTimeout {{ conntrackd_ftfw_purge_timeout }}
+	}
+
+	UDP {
+		IPv6_address {{ conntrackd_udp_listen_ipv6 }}
+		IPv4_Destination_Address {{ conntrackd_udp_dest_ipv6 }}
+		Port {{ conntrackd_udp_listen_port }}
+		Interface {{ conntrackd_udp_iface }}
+		SndSocketBuffer {{ conntrackd_udp_send_buffer }}
+		RcvSocketBuffer {{ conntrackd_udp_receive_buffer }}
+		Checksum on
+	}
+}
diff --git a/roles/conntrackd/templates/conntrackd_vrrp.j2 b/roles/conntrackd/templates/conntrackd_vrrp.j2
new file mode 100644
index 0000000..5fdfaab
--- /dev/null
+++ b/roles/conntrackd/templates/conntrackd_vrrp.j2
@@ -0,0 +1,129 @@
+#!/bin/sh
+
+{{ ansible_managed | comment }}
+
+#
+# (C) 2006-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# Description:
+#
+# This is the script for primary-backup setups for keepalived
+# (http://www.keepalived.org). You may adapt it to make it work with other
+# high-availability managers.
+#
+# Do not forget to include the required modifications to your keepalived.conf
+# file to invoke this script during keepalived's state transitions.
+#
+# Contributions to improve this script are welcome :).
+#
+
+CONNTRACKD_BIN=/usr/sbin/conntrackd
+CONNTRACKD_LOCK=/var/lock/conntrack.lock
+CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
+
+case "$1" in
+  primary)
+    #
+    # commit the external cache into the kernel table
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
+    if [ $? -eq 1 ]
+    then
+        logger "ERROR: failed to invoke conntrackd -c"
+    fi
+
+    #
+    # flush the internal and the external caches
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -f"
+    fi
+
+    #
+    # resynchronize my internal cache to the kernel table
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -R"
+    fi
+
+    #
+    # send a bulk update to backups 
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
+    if [ $? -eq 1 ]
+    then
+        logger "ERROR: failed to invoke conntrackd -B"
+    fi
+    ;;
+  backup)
+    #
+    # is conntrackd running? request some statistics to check it
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
+    if [ $? -eq 1 ]
+    then
+        #
+	# something's wrong, do we have a lock file?
+	#
+    	if [ -f $CONNTRACKD_LOCK ]
+	then
+	    logger "WARNING: conntrackd was not cleanly stopped."
+	    logger "If you suspect that it has crashed:"
+	    logger "1) Enable coredumps"
+	    logger "2) Try to reproduce the problem"
+	    logger "3) Post the coredump to netfilter-devel@vger.kernel.org"
+	    rm -f $CONNTRACKD_LOCK
+	fi
+	$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
+	if [ $? -eq 1 ]
+	then
+	    logger "ERROR: cannot launch conntrackd"
+	    exit 1
+	fi
+    fi
+    #
+    # shorten kernel conntrack timers to remove the zombie entries.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -t"
+    fi
+
+    #
+    # request resynchronization with master firewall replica (if any)
+    # Note: this does nothing in the alarm approach.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -n"
+    fi
+    ;;
+  fault)
+    #
+    # shorten kernel conntrack timers to remove the zombie entries.
+    #
+    $CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
+    if [ $? -eq 1 ]
+    then
+    	logger "ERROR: failed to invoke conntrackd -t"
+    fi
+    ;;
+  *)
+    logger "ERROR: unknown state transition"
+    echo "Usage: $0 {primary|backup|fault}"
+    exit 1
+    ;;
+esac
+
+exit 0