fastd.conf 3.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103
  1. #
  2. # {{ site }} / {{ network }} FASTd configuration (Salt managed)
  3. #
  4. {%- set node_config = salt['pillar.get']('nodes:' ~ grains['id']) %}
  5. {%- set meshif = "meshif" %}
  6. {%- if grains.oscodename != "buster" %}
  7. {%- set meshif = "-m" %}
  8. {%- endif %}
  9. log to syslog level info;
  10. interface "{{ site }}_{{ network }}";
  11. {%- if 'aes' in grains.cpu_flags and grains.oscodename not in [ "stretch" ] %}
  12. method "aes128-gcm";
  13. method "aes128-ctr+umac";
  14. {%- else %}
  15. #method "aes128-gcm"; # Not supported by CPU on this machine
  16. #method "aes128-ctr+umac"; # Not supported by CPU on this machine
  17. {%- endif %}
  18. method "salsa2012+umac";
  19. {%- if network_type == 'nodes' and 'batman_gw' in node_config.get ('roles') %}
  20. method "null"; # Null-cipher for node VPNs
  21. {% endif %}
  22. {#- Calculating FASTd port depending on network_type #}
  23. {%- set port = -1 %}
  24. {%- if network_type == 'nodes' %}
  25. {%- set port = 10000 + site_no|int %}
  26. {%- elif network_type == 'intergw' %}
  27. {%- set port = 11000 + site_no|int %}
  28. {%- endif %}
  29. {%- if network in ['nodes4', 'intergw'] %}
  30. bind 0.0.0.0:{{ port }} interface "vrf_external";
  31. {%- endif %}
  32. {%- if network in ['nodes6', 'intergw'] %}
  33. bind [::]:{{ port }} interface "vrf_external";
  34. {%- endif %}
  35. # Mark packets to make sure they are associated to VRF vrf_external.
  36. # Specifying the interface and setsockopt() isn't enough for fastd.
  37. packet mark 0x1023;
  38. secret "{{ secret }}";
  39. mtu 1406;
  40. status socket "/var/run/fastd.{{ site }}_{{ network }}.sock";
  41. on up "
  42. ip link set $INTERFACE down
  43. ip link set address {{ mac_address }} dev $INTERFACE
  44. ip link set $INTERFACE up
  45. batctl {{ meshif }} {{ bat_iface }} if add $INTERFACE
  46. {%- if grains.oscodename == "buster" or 'batman-iface-penalty' in node_config.get ('tags', []) %}
  47. # Make VPN more expensive than intra DC/DCI/WBBL links
  48. batctl hardif $INTERFACE hop_penalty 50
  49. {%- endif %}
  50. ";
  51. on down "
  52. batctl {{ meshif }} {{ bat_iface }} if del $INTERFACE
  53. ";
  54. {%- if network_type == 'nodes' %}
  55. on verify "/etc/fastd/verify-peer.sh $PEER_KEY $PEER_ADDRESS";
  56. {%- if peer_limit %}
  57. peer limit {{ peer_limit }};
  58. {%- endif %}
  59. {%- elif network_type == 'intergw' %}
  60. #
  61. # Set up Inter-Gw-VPN link to all nodes of this site
  62. {%- set node_is_gw = True if grains.id.startswith('gw') else False %}
  63. {%- for peer, peer_config in salt['pillar.get']('nodes').items ()|sort if peer != grains.id %}
  64. {%- if site not in peer_config.get ('sites', {}) %}{% continue %}{% endif %}
  65. {%- if 'fastd' not in peer_config %}{% continue %}{% endif %}
  66. {#- non gw nodes are only allowed to connect to gw peers #}
  67. {%- set peer_is_gw = True if peer.startswith('gw') else False %}
  68. {%- if not node_is_gw and not peer_is_gw %}{% continue %}{% endif %}
  69. # Peer config for {{ peer }}
  70. peer "{{ peer }}" {
  71. key "{{ peer_config.get('fastd', {}).get('intergw_pubkey') }}";
  72. {%- if peer_is_gw %}
  73. {%- set ips = salt['ffho_net.get_node_iface_ips'](peer_config, 'vrf_external') %}
  74. {#- set peer IPv4 address #}
  75. {%- for ipv4 in ips['v4'] %}
  76. remote {{ ipv4 }}:{{ port }};
  77. {%- endfor %}
  78. {#- set peer IPv6 address if node has IPv6 #}
  79. {%- for ipv6 in ips['v6'] %}
  80. remote [{{ ipv6 }}]:{{ port }};
  81. {%- endfor %}
  82. {%- endif %}
  83. }
  84. {%- endfor %}
  85. {%- endif %}