fastd.conf 2.9 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697
  1. #
  2. # {{ site }} / {{ network }} FASTd configuration (Salt managed)
  3. #
  4. {%- set node_config = salt['pillar.get']('node') %}
  5. log to syslog level info;
  6. interface "{{ site }}_{{ network }}";
  7. {% if network_type == 'nodes' and 'batman_gw' in node_config.get ('roles') %}
  8. method "null"; # Null-cipher for node VPNs
  9. {%- endif %}
  10. {%- if 'aes' in grains.cpu_flags %}
  11. method "aes128-gcm";
  12. method "aes128-ctr+umac";
  13. {%- else %}
  14. #method "aes128-gcm"; # Not supported by CPU on this machine
  15. #method "aes128-ctr+umac"; # Not supported by CPU on this machine
  16. {%- endif %}
  17. method "salsa2012+umac";
  18. {# Calculating FASTd port depending on network_type #}
  19. {%- set port = -1 %}
  20. {%- if network_type == 'nodes' %}
  21. {%- set port = 10000 + site_no|int %}
  22. {%- elif network_type == 'intergw' %}
  23. {%- set port = 11000 + site_no|int %}
  24. {%- endif %}
  25. {%- if network in ['nodes4', 'intergw'] %}
  26. bind 0.0.0.0:{{ port }} interface "vrf_external";
  27. {%- endif %}
  28. {%- if network in ['nodes6', 'intergw'] %}
  29. bind [::]:{{ port }} interface "vrf_external";
  30. {%- endif %}
  31. # Mark packets to make sure they are associated to VRF vrf_external.
  32. # Specifying the interface and setsockopt() isn't enough for fastd.
  33. packet mark 0x1023;
  34. secret "{{ secret }}";
  35. mtu 1406;
  36. status socket "/var/run/fastd.{{ site }}_{{ network }}.sock";
  37. on up "
  38. ip link set $INTERFACE down
  39. ip link set address {{ mac_address }} dev $INTERFACE
  40. ip link set $INTERFACE up
  41. batctl meshif {{ bat_iface }} if add $INTERFACE
  42. # Make VPN more expensive than intra DC/DCI/WBBL links
  43. batctl hardif $INTERFACE hop_penalty {{ iface_penalty }}
  44. ";
  45. on down "
  46. batctl meshif {{ bat_iface }} if del $INTERFACE
  47. ";
  48. {%- if network_type == 'nodes' %}
  49. on verify "/etc/fastd/verify-peer.sh $PEER_KEY $PEER_ADDRESS";
  50. {%- if peer_limit %}
  51. peer limit {{ peer_limit }};
  52. {%- endif %}
  53. {%- elif network_type == 'intergw' %}
  54. #
  55. # Set up Inter-Gw-VPN link to all nodes of this site
  56. {%- set node_is_gw = True if grains.id.startswith('gw') else False %}
  57. {%- for peer, peer_config in salt['pillar.get']('nodes').items ()|sort if peer != grains.id %}
  58. {%- if site not in peer_config.get ('sites', {}) %}{% continue %}{% endif %}
  59. {%- if 'fastd' not in peer_config %}{% continue %}{% endif %}
  60. {#- non gw nodes are only allowed to connect to gw peers #}
  61. {%- set peer_is_gw = True if peer.startswith('gw') else False %}
  62. {%- if not node_is_gw and not peer_is_gw %}{% continue %}{% endif %}
  63. # Peer config for {{ peer }}
  64. peer "{{ peer }}" {
  65. key "{{ peer_config.get('fastd', {}).get('intergw_pubkey') }}";
  66. {%- if peer_is_gw %}
  67. {%- set ips = salt['ffho_net.get_node_iface_ips'](peer_config, 'vrf_external') %}
  68. {#- set peer IPv4 address #}
  69. {%- for ipv4 in ips['v4'] %}
  70. remote {{ ipv4 }}:{{ port }};
  71. {%- endfor %}
  72. {#- set peer IPv6 address if node has IPv6 #}
  73. {%- for ipv6 in ips['v6'] %}
  74. remote [{{ ipv6 }}]:{{ port }};
  75. {%- endfor %}
  76. {%- endif %}
  77. }
  78. {%- endfor %}
  79. {%- endif %}