Add conntrackd role
Some checks failed
continuous-integration/drone/push Build is failing
continuous-integration/drone/pr Build is failing

This commit is contained in:
jeltz 2022-01-13 14:51:23 +01:00
parent 4d85cd7e4b
commit 237a47b4f3
Signed by: jeltz
GPG key ID: 800882B66C0C3326
6 changed files with 296 additions and 0 deletions

View file

@ -111,6 +111,72 @@
roles: roles:
- keepalived - keepalived
- hosts:
- infra-1.router.auro.re
vars:
conntrackd_ignore_addrs_ipv6:
- ::/128
- 2a09:6840:111:0:10::/64
- 2a09:6840:128:0:16::/64
- 2a09:6840:129:0:245::/64
- 2a09:6840:129:0:246::/64
- 2a09:6840:130:0:185::/64
- 2a09:6840:131:0:248::/64
- 2a09:6840:133:0:1::/64
- 2a09:6840:134:0:1::/64
- 2a09:6840:135:0:1::/64
- 2a09:6840:135:0:2::/64
conntrackd_ignore_addrs_ipv4:
- 127.0.0.1/8
- 45.66.111.10
- 10.128.0.16
- 10.129.0.245
- 10.129.0.246
- 10.130.0.185
- 10.131.0.248
- 10.133.0.1
- 10.134.0.1
- 10.135.0.1
- 10.135.0.2
conntrackd_udp_dest_ipv6: 10.129.0.246
conntrackd_udp_listen_ipv6: 10.129.0.245
conntrackd_udp_iface: vlan129
roles:
- conntrackd
- hosts:
- infra-2.router.auro.re
vars:
conntrackd_ignore_addrs_ipv6:
- ::/128
- 2a09:6840:111:0:10::/64
- 2a09:6840:128:0:16::/64
- 2a09:6840:129:0:245::/64
- 2a09:6840:129:0:246::/64
- 2a09:6840:130:0:185::/64
- 2a09:6840:131:0:248::/64
- 2a09:6840:133:0:1::/64
- 2a09:6840:134:0:1::/64
- 2a09:6840:135:0:1::/64
- 2a09:6840:135:0:2::/64
conntrackd_ignore_addrs_ipv4:
- 127.0.0.1/8
- 45.66.111.10
- 10.128.0.16
- 10.129.0.245
- 10.129.0.246
- 10.130.0.185
- 10.131.0.248
- 10.133.0.1
- 10.134.0.1
- 10.135.0.1
- 10.135.0.2
conntrackd_udp_dest_ipv6: 10.129.0.245
conntrackd_udp_listen_ipv6: 10.129.0.246
conntrackd_udp_iface: vlan129
roles:
- conntrackd
- hosts: - hosts:
- infra-1.router.auro.re - infra-1.router.auro.re
- infra-2.router.auro.re - infra-2.router.auro.re

View file

@ -0,0 +1,13 @@
---
conntrackd_hash_size: 8192
conntrackd_hash_limit: 65535
conntrackd_socket_buffer_size: 262142
conntrackd_socket_buffer_size_max: 655355
conntrackd_ignore_addrs_ipv6: []
conntrackd_ignore_addrs_ipv4: []
conntrackd_ftfw_commit_timeout: 1800
conntrackd_ftfw_purge_timeout: 5
conntrackd_udp_listen_port: 3780
conntrackd_udp_send_buffer: 1249280
conntrackd_udp_receive_buffer: 1249280
...

View file

@ -0,0 +1,6 @@
---
- name: Restart conntrackd
systemd:
name: conntrackd
state: restarted
...

View file

@ -0,0 +1,29 @@
---
- name: Install conntrackd
apt:
name: conntrackd
- name: Configure conntrackd
template:
src: conntrackd.conf.j2
dest: /etc/conntrackd/conntrackd.conf
owner: root
group: root
mode: u=rw,g=r,o=r
notify:
- Restart conntrackd
- name: Install conntrackd_vrrp script
template:
src: conntrackd_vrrp.j2
dest: /usr/local/sbin/conntrackd_vrrp
owner: root
group: root
mode: u=rwx,g=r,o=r
- name: Enable and start conntrackd
systemd:
name: conntrackd
enabled: true
state: started
...

View file

@ -0,0 +1,53 @@
{{ ansible_managed | comment}}
General {
HashSize {{ conntrackd_hash_size }}
HashLimit {{ conntrackd_hash_limit }}
Syslog on
LockFile /var/log/conntrackd.lock
UNIX {
Path /var/run/conntrackd.sock
}
SocketBufferSize {{ conntrackd_socket_buffer_size }}
SocketBufferSizeMaxGrown {{ conntrackd_socket_buffer_size_max }}
Systemd on
Filter From Userspace {
Protocol Accept {
TCP
UDP
}
Address Ignore {
{% for addr in conntrackd_ignore_addrs_ipv6 %}
IPv6_address {{ addr }}
{% endfor %}
{% for addr in conntrackd_ignore_addrs_ipv4 %}
IPv4_address {{ addr }}
{% endfor %}
}
}
}
Sync {
Mode FTFW {
DisableExternalCache off
StartupResync on
CommitTimeout {{ conntrackd_ftfw_commit_timeout }}
PurgeTimeout {{ conntrackd_ftfw_purge_timeout }}
}
UDP {
IPv6_address {{ conntrackd_udp_listen_ipv6 }}
IPv4_Destination_Address {{ conntrackd_udp_dest_ipv6 }}
Port {{ conntrackd_udp_listen_port }}
Interface {{ conntrackd_udp_iface }}
SndSocketBuffer {{ conntrackd_udp_send_buffer }}
RcvSocketBuffer {{ conntrackd_udp_receive_buffer }}
Checksum on
}
}

View file

@ -0,0 +1,129 @@
#!/bin/sh
{{ ansible_managed | comment }}
#
# (C) 2006-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# Description:
#
# This is the script for primary-backup setups for keepalived
# (http://www.keepalived.org). You may adapt it to make it work with other
# high-availability managers.
#
# Do not forget to include the required modifications to your keepalived.conf
# file to invoke this script during keepalived's state transitions.
#
# Contributions to improve this script are welcome :).
#
CONNTRACKD_BIN=/usr/sbin/conntrackd
CONNTRACKD_LOCK=/var/lock/conntrack.lock
CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
case "$1" in
primary)
#
# commit the external cache into the kernel table
#
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
if [ $? -eq 1 ]
then
logger "ERROR: failed to invoke conntrackd -c"
fi
#
# flush the internal and the external caches
#
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
if [ $? -eq 1 ]
then
logger "ERROR: failed to invoke conntrackd -f"
fi
#
# resynchronize my internal cache to the kernel table
#
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
if [ $? -eq 1 ]
then
logger "ERROR: failed to invoke conntrackd -R"
fi
#
# send a bulk update to backups
#
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
if [ $? -eq 1 ]
then
logger "ERROR: failed to invoke conntrackd -B"
fi
;;
backup)
#
# is conntrackd running? request some statistics to check it
#
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
if [ $? -eq 1 ]
then
#
# something's wrong, do we have a lock file?
#
if [ -f $CONNTRACKD_LOCK ]
then
logger "WARNING: conntrackd was not cleanly stopped."
logger "If you suspect that it has crashed:"
logger "1) Enable coredumps"
logger "2) Try to reproduce the problem"
logger "3) Post the coredump to netfilter-devel@vger.kernel.org"
rm -f $CONNTRACKD_LOCK
fi
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
if [ $? -eq 1 ]
then
logger "ERROR: cannot launch conntrackd"
exit 1
fi
fi
#
# shorten kernel conntrack timers to remove the zombie entries.
#
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
if [ $? -eq 1 ]
then
logger "ERROR: failed to invoke conntrackd -t"
fi
#
# request resynchronization with master firewall replica (if any)
# Note: this does nothing in the alarm approach.
#
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
if [ $? -eq 1 ]
then
logger "ERROR: failed to invoke conntrackd -n"
fi
;;
fault)
#
# shorten kernel conntrack timers to remove the zombie entries.
#
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
if [ $? -eq 1 ]
then
logger "ERROR: failed to invoke conntrackd -t"
fi
;;
*)
logger "ERROR: unknown state transition"
echo "Usage: $0 {primary|backup|fault}"
exit 1
;;
esac
exit 0