# # {{ site }} / {{ network }} FASTd configuration (Salt managed) # {%- set meshif = "meshif" %} {%- if grains.oscodename != "buster" %} {%- set meshif = "-m" %} {%- endif %} log to syslog level info; interface "{{ site }}_{{ network }}"; {%- if 'aes' in grains.cpu_flags and grains.oscodename not in [ "stretch" ] %} method "aes128-gcm"; method "aes128-ctr+umac"; {%- else %} #method "aes128-gcm"; # - Not supported by CPU on this machine #method "aes128-ctr+umac"; # - Not supported by CPU on this machine {%- endif %} method "salsa2012+umac"; {#- Calculating FASTd port depending on network_type #} {%- set port = -1 %} {%- if network_type == 'nodes' %} {%- set port = 10000 + site_no|int %} {%- elif network_type == 'intergw' %} {%- set port = 11000 + site_no|int %} {%- endif %} {%- if network in ['nodes4', 'intergw'] %} bind 0.0.0.0:{{ port }} interface "vrf_external"; {%- endif %} {%- if network in ['nodes6', 'intergw'] %} bind [::]:{{ port }} interface "vrf_external"; {%- endif %} # Mark packets to make sure they are associated to VRF vrf_external. # Specifying the interface and setsockopt() isn't enough for fastd. packet mark 0x1023; secret "{{ secret }}"; mtu 1406; status socket "/var/run/fastd.{{ site }}_{{ network }}.sock"; on up " ip link set $INTERFACE down ip link set address {{ mac_address }} dev $INTERFACE ip link set $INTERFACE up batctl {{ meshif }} {{ bat_iface }} if add $INTERFACE {%- if grains.oscodename == "buster" or 'batman-iface-penalty' in salt['pillar.get']('nodes:' ~ grains['id'] ~ ':tags', []) %} # Make VPN more expensive than intra DC/DCI/WBBL links batctl hardif $INTERFACE hop_penalty 50 {%- endif %} "; on down " batctl {{ meshif }} {{ bat_iface }} if del $INTERFACE "; {%- if network_type == 'nodes' %} on verify "/etc/fastd/verify-peer.sh $PEER_KEY $PEER_ADDRESS"; {%- if peer_limit %} peer limit {{ peer_limit }}; {%- endif %} {%- elif network_type == 'intergw' %} # # Set up Inter-Gw-VPN link to all nodes of this site {%- set node_is_gw = True if grains.id.startswith('gw') else False %} {%- for peer, peer_config in salt['pillar.get']('nodes').items ()|sort if peer != grains.id %} {%- if site not in peer_config.get ('sites', {}) %}{% continue %}{% endif %} {%- if 'fastd' not in peer_config %}{% continue %}{% endif %} {#- non gw nodes are only allowed to connect to gw peers #} {%- set peer_is_gw = True if peer.startswith('gw') else False %} {%- if not node_is_gw and not peer_is_gw %}{% continue %}{% endif %} # Peer config for {{ peer }} peer "{{ peer }}" { key "{{ peer_config.get('fastd', {}).get('intergw_pubkey') }}"; {%- if peer_is_gw %} {%- set ips = salt['ffho_net.get_node_iface_ips'](peer_config, 'vrf_external') %} {#- set peer IPv4 address #} {%- for ipv4 in ips['v4'] %} remote {{ ipv4 }}:{{ port }}; {%- endfor %} {#- set peer IPv6 address if node has IPv6 #} {%- for ipv6 in ips['v6'] %} remote [{{ ipv6 }}]:{{ port }}; {%- endfor %} {%- endif %} } {%- endfor %} {%- if grains.id == "gw04.in.ffho.net" and site == "pad-cty" %} # Peer config for biobluemchen peer "biobluemchen" { key "28755f3c50867a689f89925a7b6444ade78a55f249ab69f1244a1be2fe331a5e"; } {%- endif %} {%- endif %}