From 9de88d0a2838dbf865f277bf32ac0ce8a74d3ffc Mon Sep 17 00:00:00 2001 From: Jeltz Date: Wed, 5 Jul 2023 01:18:52 +0200 Subject: [PATCH] ifupdown2: improve wireguard support - add prio to ensure idempotency when reloading the iface - add proto to ease route filtering in bird --- roles/ifupdown2/defaults/main.yml | 2 ++ roles/ifupdown2/templates/interfaces.j2 | 20 ++++++++++++-------- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/roles/ifupdown2/defaults/main.yml b/roles/ifupdown2/defaults/main.yml index 745da82..2c5b16c 100644 --- a/roles/ifupdown2/defaults/main.yml +++ b/roles/ifupdown2/defaults/main.yml @@ -2,4 +2,6 @@ ifupdown2__interfaces: {} ifupdown2__wireguard: {} ifupdown2__wireguard_keepalive: 0 +ifupdown2__wireguard_proto: boot +ifupdown2__prio_base: 100 ... diff --git a/roles/ifupdown2/templates/interfaces.j2 b/roles/ifupdown2/templates/interfaces.j2 index 06f5cba..db0c344 100644 --- a/roles/ifupdown2/templates/interfaces.j2 +++ b/roles/ifupdown2/templates/interfaces.j2 @@ -1,6 +1,9 @@ {{ ansible_managed | comment }} -{% macro iface_common(iface) %} +auto lo +iface lo + +{% macro iface_common(iface, index=None) %} {% for address in iface.addresses | default([]) %} address {{ address | ipaddr }} {% endfor %} @@ -12,10 +15,11 @@ ip-forward yes ip6-forward yes {% endif %} {% if iface.goto_table is defined %} -pre-up ip rule add iif $IFACE table {{ iface.goto_table }} -pre-up ip rule add iif $IFACE blackhole -post-down ip rule del iif $IFACE table {{ iface.goto_table }} -post-down ip rule del iif $IFACE blackhole +{% set prio = ifupdown2__prio_base + 2 * index %} +pre-up ip rule add prio {{ prio }} iif $IFACE table {{ iface.goto_table }} +pre-up ip rule add prio {{ prio + 1 }} iif $IFACE blackhole +post-down ip rule del prio {{ prio }} iif $IFACE table {{ iface.goto_table }} +post-down ip rule del prio {{ prio + 1 }} iif $IFACE blackhole {% endif %} {% if iface.ipv6_addrgen is defined %} ipv6-addrgen {{ iface.ipv6_addrgen @@ -50,14 +54,14 @@ iface {{ name }} {% endfor %} -{% for name, iface in ifupdown2__wireguard.items() %} +{% for name, iface in ifupdown2__wireguard.items() | sort(attribute="0") %} auto {{ name }} iface {{ name }} link-type wireguard - {{ iface_common(iface) | indent(4) }} + {{ iface_common(iface, index=loop.index) | indent(4) }} pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf {% for address in iface.peer_allowed_addresses | default([]) %} - post-up ip route add {{ address }} dev $IFACE + post-up ip route add {{ address }} proto {{ ifupdown2__wireguard_proto }} dev $IFACE {% endfor %} {% endfor %}