ifupdown2: improve wireguard support
- add prio to ensure idempotency when reloading the iface - add proto to ease route filtering in bird
This commit is contained in:
parent
655f744a11
commit
9de88d0a28
GPG key ID:
800882B66C0C3326
2 changed files with 14 additions and 8 deletions
|
|
@ -2,4 +2,6 @@
|
||||||
ifupdown2__interfaces: {}
|
ifupdown2__interfaces: {}
|
||||||
ifupdown2__wireguard: {}
|
ifupdown2__wireguard: {}
|
||||||
ifupdown2__wireguard_keepalive: 0
|
ifupdown2__wireguard_keepalive: 0
|
||||||
|
ifupdown2__wireguard_proto: boot
|
||||||
|
ifupdown2__prio_base: 100
|
||||||
...
|
...
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,9 @@
|
||||||
{{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
{% macro iface_common(iface) %}
|
auto lo
|
||||||
|
iface lo
|
||||||
|
|
||||||
|
{% macro iface_common(iface, index=None) %}
|
||||||
{% for address in iface.addresses | default([]) %}
|
{% for address in iface.addresses | default([]) %}
|
||||||
address {{ address | ipaddr }}
|
address {{ address | ipaddr }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
@ -12,10 +15,11 @@ ip-forward yes
|
||||||
ip6-forward yes
|
ip6-forward yes
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if iface.goto_table is defined %}
|
{% if iface.goto_table is defined %}
|
||||||
pre-up ip rule add iif $IFACE table {{ iface.goto_table }}
|
{% set prio = ifupdown2__prio_base + 2 * index %}
|
||||||
pre-up ip rule add iif $IFACE blackhole
|
pre-up ip rule add prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
|
||||||
post-down ip rule del iif $IFACE table {{ iface.goto_table }}
|
pre-up ip rule add prio {{ prio + 1 }} iif $IFACE blackhole
|
||||||
post-down ip rule del iif $IFACE blackhole
|
post-down ip rule del prio {{ prio }} iif $IFACE table {{ iface.goto_table }}
|
||||||
|
post-down ip rule del prio {{ prio + 1 }} iif $IFACE blackhole
|
||||||
{% endif %}
|
{% endif %}
|
||||||
{% if iface.ipv6_addrgen is defined %}
|
{% if iface.ipv6_addrgen is defined %}
|
||||||
ipv6-addrgen {{ iface.ipv6_addrgen
|
ipv6-addrgen {{ iface.ipv6_addrgen
|
||||||
|
|
@ -50,14 +54,14 @@ iface {{ name }}
|
||||||
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% for name, iface in ifupdown2__wireguard.items() %}
|
{% for name, iface in ifupdown2__wireguard.items() | sort(attribute="0") %}
|
||||||
auto {{ name }}
|
auto {{ name }}
|
||||||
iface {{ name }}
|
iface {{ name }}
|
||||||
link-type wireguard
|
link-type wireguard
|
||||||
{{ iface_common(iface) | indent(4) }}
|
{{ iface_common(iface, index=loop.index) | indent(4) }}
|
||||||
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
|
||||||
{% for address in iface.peer_allowed_addresses | default([]) %}
|
{% for address in iface.peer_allowed_addresses | default([]) %}
|
||||||
post-up ip route add {{ address }} dev $IFACE
|
post-up ip route add {{ address }} proto {{ ifupdown2__wireguard_proto }} dev $IFACE
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue