WIP: Infrastructure routers #91
6 changed files with 296 additions and 0 deletions
|
@ -111,6 +111,72 @@
|
||||||
roles:
|
roles:
|
||||||
- keepalived
|
- keepalived
|
||||||
|
|
||||||
|
- hosts:
|
||||||
|
- infra-1.router.auro.re
|
||||||
|
vars:
|
||||||
|
conntrackd_ignore_addrs_ipv6:
|
||||||
|
- ::/128
|
||||||
|
- 2a09:6840:111:0:10::/64
|
||||||
|
- 2a09:6840:128:0:16::/64
|
||||||
|
- 2a09:6840:129:0:245::/64
|
||||||
|
- 2a09:6840:129:0:246::/64
|
||||||
|
- 2a09:6840:130:0:185::/64
|
||||||
|
- 2a09:6840:131:0:248::/64
|
||||||
|
- 2a09:6840:133:0:1::/64
|
||||||
|
- 2a09:6840:134:0:1::/64
|
||||||
|
- 2a09:6840:135:0:1::/64
|
||||||
|
- 2a09:6840:135:0:2::/64
|
||||||
|
conntrackd_ignore_addrs_ipv4:
|
||||||
|
- 127.0.0.1/8
|
||||||
|
- 45.66.111.10
|
||||||
|
- 10.128.0.16
|
||||||
|
- 10.129.0.245
|
||||||
|
- 10.129.0.246
|
||||||
|
- 10.130.0.185
|
||||||
|
- 10.131.0.248
|
||||||
|
- 10.133.0.1
|
||||||
|
- 10.134.0.1
|
||||||
|
- 10.135.0.1
|
||||||
|
- 10.135.0.2
|
||||||
|
conntrackd_udp_dest_ipv6: 10.129.0.246
|
||||||
|
conntrackd_udp_listen_ipv6: 10.129.0.245
|
||||||
|
conntrackd_udp_iface: vlan129
|
||||||
|
roles:
|
||||||
|
- conntrackd
|
||||||
|
|
||||||
|
- hosts:
|
||||||
|
- infra-2.router.auro.re
|
||||||
|
vars:
|
||||||
|
conntrackd_ignore_addrs_ipv6:
|
||||||
|
- ::/128
|
||||||
|
- 2a09:6840:111:0:10::/64
|
||||||
|
- 2a09:6840:128:0:16::/64
|
||||||
|
- 2a09:6840:129:0:245::/64
|
||||||
|
- 2a09:6840:129:0:246::/64
|
||||||
|
- 2a09:6840:130:0:185::/64
|
||||||
|
- 2a09:6840:131:0:248::/64
|
||||||
|
- 2a09:6840:133:0:1::/64
|
||||||
|
- 2a09:6840:134:0:1::/64
|
||||||
|
- 2a09:6840:135:0:1::/64
|
||||||
|
- 2a09:6840:135:0:2::/64
|
||||||
|
conntrackd_ignore_addrs_ipv4:
|
||||||
|
- 127.0.0.1/8
|
||||||
|
- 45.66.111.10
|
||||||
|
- 10.128.0.16
|
||||||
|
- 10.129.0.245
|
||||||
|
- 10.129.0.246
|
||||||
|
- 10.130.0.185
|
||||||
|
- 10.131.0.248
|
||||||
|
- 10.133.0.1
|
||||||
|
- 10.134.0.1
|
||||||
|
- 10.135.0.1
|
||||||
|
- 10.135.0.2
|
||||||
|
conntrackd_udp_dest_ipv6: 10.129.0.245
|
||||||
|
conntrackd_udp_listen_ipv6: 10.129.0.246
|
||||||
|
conntrackd_udp_iface: vlan129
|
||||||
|
roles:
|
||||||
|
- conntrackd
|
||||||
|
|
||||||
- hosts:
|
- hosts:
|
||||||
- infra-1.router.auro.re
|
- infra-1.router.auro.re
|
||||||
- infra-2.router.auro.re
|
- infra-2.router.auro.re
|
||||||
|
|
13
roles/conntrackd/defaults/main.yml
Normal file
13
roles/conntrackd/defaults/main.yml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
---
|
||||||
|
conntrackd_hash_size: 8192
|
||||||
|
conntrackd_hash_limit: 65535
|
||||||
|
conntrackd_socket_buffer_size: 262142
|
||||||
|
conntrackd_socket_buffer_size_max: 655355
|
||||||
|
conntrackd_ignore_addrs_ipv6: []
|
||||||
|
conntrackd_ignore_addrs_ipv4: []
|
||||||
|
conntrackd_ftfw_commit_timeout: 1800
|
||||||
|
conntrackd_ftfw_purge_timeout: 5
|
||||||
|
conntrackd_udp_listen_port: 3780
|
||||||
|
conntrackd_udp_send_buffer: 1249280
|
||||||
|
conntrackd_udp_receive_buffer: 1249280
|
||||||
|
...
|
6
roles/conntrackd/handlers/main.yml
Normal file
6
roles/conntrackd/handlers/main.yml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
- name: Restart conntrackd
|
||||||
|
systemd:
|
||||||
|
name: conntrackd
|
||||||
|
state: restarted
|
||||||
|
...
|
29
roles/conntrackd/tasks/main.yml
Normal file
29
roles/conntrackd/tasks/main.yml
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
---
|
||||||
|
- name: Install conntrackd
|
||||||
|
apt:
|
||||||
|
name: conntrackd
|
||||||
|
|
||||||
|
- name: Configure conntrackd
|
||||||
|
template:
|
||||||
|
src: conntrackd.conf.j2
|
||||||
|
dest: /etc/conntrackd/conntrackd.conf
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rw,g=r,o=r
|
||||||
|
notify:
|
||||||
|
- Restart conntrackd
|
||||||
|
|
||||||
|
- name: Install conntrackd_vrrp script
|
||||||
|
template:
|
||||||
|
src: conntrackd_vrrp.j2
|
||||||
|
dest: /usr/local/sbin/conntrackd_vrrp
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: u=rwx,g=r,o=r
|
||||||
|
|
||||||
|
- name: Enable and start conntrackd
|
||||||
|
systemd:
|
||||||
|
name: conntrackd
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
...
|
53
roles/conntrackd/templates/conntrackd.conf.j2
Normal file
53
roles/conntrackd/templates/conntrackd.conf.j2
Normal file
|
@ -0,0 +1,53 @@
|
||||||
|
{{ ansible_managed | comment}}
|
||||||
|
|
||||||
|
General {
|
||||||
|
HashSize {{ conntrackd_hash_size }}
|
||||||
|
HashLimit {{ conntrackd_hash_limit }}
|
||||||
|
|
||||||
|
Syslog on
|
||||||
|
|
||||||
|
LockFile /var/log/conntrackd.lock
|
||||||
|
|
||||||
|
UNIX {
|
||||||
|
Path /var/run/conntrackd.sock
|
||||||
|
}
|
||||||
|
|
||||||
|
SocketBufferSize {{ conntrackd_socket_buffer_size }}
|
||||||
|
SocketBufferSizeMaxGrown {{ conntrackd_socket_buffer_size_max }}
|
||||||
|
|
||||||
|
Systemd on
|
||||||
|
|
||||||
|
Filter From Userspace {
|
||||||
|
Protocol Accept {
|
||||||
|
TCP
|
||||||
|
UDP
|
||||||
|
}
|
||||||
|
Address Ignore {
|
||||||
|
{% for addr in conntrackd_ignore_addrs_ipv6 %}
|
||||||
|
IPv6_address {{ addr }}
|
||||||
|
{% endfor %}
|
||||||
|
{% for addr in conntrackd_ignore_addrs_ipv4 %}
|
||||||
|
IPv4_address {{ addr }}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Sync {
|
||||||
|
Mode FTFW {
|
||||||
|
DisableExternalCache off
|
||||||
|
StartupResync on
|
||||||
|
CommitTimeout {{ conntrackd_ftfw_commit_timeout }}
|
||||||
|
PurgeTimeout {{ conntrackd_ftfw_purge_timeout }}
|
||||||
|
}
|
||||||
|
|
||||||
|
UDP {
|
||||||
|
IPv6_address {{ conntrackd_udp_listen_ipv6 }}
|
||||||
|
IPv4_Destination_Address {{ conntrackd_udp_dest_ipv6 }}
|
||||||
|
Port {{ conntrackd_udp_listen_port }}
|
||||||
|
Interface {{ conntrackd_udp_iface }}
|
||||||
|
SndSocketBuffer {{ conntrackd_udp_send_buffer }}
|
||||||
|
RcvSocketBuffer {{ conntrackd_udp_receive_buffer }}
|
||||||
|
Checksum on
|
||||||
|
}
|
||||||
|
}
|
129
roles/conntrackd/templates/conntrackd_vrrp.j2
Normal file
129
roles/conntrackd/templates/conntrackd_vrrp.j2
Normal file
|
@ -0,0 +1,129 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
|
#
|
||||||
|
# (C) 2006-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
|
||||||
|
#
|
||||||
|
# This program is free software; you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU General Public License as published by
|
||||||
|
# the Free Software Foundation; either version 2 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# Description:
|
||||||
|
#
|
||||||
|
# This is the script for primary-backup setups for keepalived
|
||||||
|
# (http://www.keepalived.org). You may adapt it to make it work with other
|
||||||
|
# high-availability managers.
|
||||||
|
#
|
||||||
|
# Do not forget to include the required modifications to your keepalived.conf
|
||||||
|
# file to invoke this script during keepalived's state transitions.
|
||||||
|
#
|
||||||
|
# Contributions to improve this script are welcome :).
|
||||||
|
#
|
||||||
|
|
||||||
|
CONNTRACKD_BIN=/usr/sbin/conntrackd
|
||||||
|
CONNTRACKD_LOCK=/var/lock/conntrack.lock
|
||||||
|
CONNTRACKD_CONFIG=/etc/conntrackd/conntrackd.conf
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
primary)
|
||||||
|
#
|
||||||
|
# commit the external cache into the kernel table
|
||||||
|
#
|
||||||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -c
|
||||||
|
if [ $? -eq 1 ]
|
||||||
|
then
|
||||||
|
logger "ERROR: failed to invoke conntrackd -c"
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# flush the internal and the external caches
|
||||||
|
#
|
||||||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -f
|
||||||
|
if [ $? -eq 1 ]
|
||||||
|
then
|
||||||
|
logger "ERROR: failed to invoke conntrackd -f"
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# resynchronize my internal cache to the kernel table
|
||||||
|
#
|
||||||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -R
|
||||||
|
if [ $? -eq 1 ]
|
||||||
|
then
|
||||||
|
logger "ERROR: failed to invoke conntrackd -R"
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# send a bulk update to backups
|
||||||
|
#
|
||||||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -B
|
||||||
|
if [ $? -eq 1 ]
|
||||||
|
then
|
||||||
|
logger "ERROR: failed to invoke conntrackd -B"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
backup)
|
||||||
|
#
|
||||||
|
# is conntrackd running? request some statistics to check it
|
||||||
|
#
|
||||||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -s
|
||||||
|
if [ $? -eq 1 ]
|
||||||
|
then
|
||||||
|
#
|
||||||
|
# something's wrong, do we have a lock file?
|
||||||
|
#
|
||||||
|
if [ -f $CONNTRACKD_LOCK ]
|
||||||
|
then
|
||||||
|
logger "WARNING: conntrackd was not cleanly stopped."
|
||||||
|
logger "If you suspect that it has crashed:"
|
||||||
|
logger "1) Enable coredumps"
|
||||||
|
logger "2) Try to reproduce the problem"
|
||||||
|
logger "3) Post the coredump to netfilter-devel@vger.kernel.org"
|
||||||
|
rm -f $CONNTRACKD_LOCK
|
||||||
|
fi
|
||||||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -d
|
||||||
|
if [ $? -eq 1 ]
|
||||||
|
then
|
||||||
|
logger "ERROR: cannot launch conntrackd"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
# shorten kernel conntrack timers to remove the zombie entries.
|
||||||
|
#
|
||||||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
|
||||||
|
if [ $? -eq 1 ]
|
||||||
|
then
|
||||||
|
logger "ERROR: failed to invoke conntrackd -t"
|
||||||
|
fi
|
||||||
|
|
||||||
|
#
|
||||||
|
# request resynchronization with master firewall replica (if any)
|
||||||
|
# Note: this does nothing in the alarm approach.
|
||||||
|
#
|
||||||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -n
|
||||||
|
if [ $? -eq 1 ]
|
||||||
|
then
|
||||||
|
logger "ERROR: failed to invoke conntrackd -n"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
fault)
|
||||||
|
#
|
||||||
|
# shorten kernel conntrack timers to remove the zombie entries.
|
||||||
|
#
|
||||||
|
$CONNTRACKD_BIN -C $CONNTRACKD_CONFIG -t
|
||||||
|
if [ $? -eq 1 ]
|
||||||
|
then
|
||||||
|
logger "ERROR: failed to invoke conntrackd -t"
|
||||||
|
fi
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
logger "ERROR: unknown state transition"
|
||||||
|
echo "Usage: $0 {primary|backup|fault}"
|
||||||
|
exit 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
exit 0
|
Loading…
Reference in a new issue