Add epdg ifupdown specific traffic rules

2024-02-16 03:28:59 +01:00 · 2024-02-16 03:28:59 +01:00 · 76c96ed6f1
parent b37def7d7c
commit 76c96ed6f1
7 changed files with 85 additions and 0 deletions
--- a/epdg.yml
+++ b/epdg.yml
@ -14,6 +14,10 @@
    net_method: ifupdown

  - name: epdg
+    net_method: ifupdown
+    epdg_ipsec_traffic_fwmark: 2
+    epdg_ipsec_traffic_rtable_name: epdg
+    epdg_ipsec_traffic_rtable_number: 2
    epdg_tun_interface: gtp0
    epdg_ipsec_bind_ip: 213.95.46.81
    epdg_swx_hss_ip: 10.74.0.21
--- a/roles/epdg/defaults/main.yml
+++ b/roles/epdg/defaults/main.yml
@ -1,4 +1,10 @@
 ---
+epdg_ipsec_traffic_fwmark: 2
+epdg_ipsec_traffic_rtable_name: epdg
+epdg_ipsec_traffic_rtable_number: 2
+
+epdg_tun_interface: gtp0
+
 epdg_swx_hss_ip: 127.0.0.2
 epdg_swx_hss_port: 3868

--- a/roles/epdg/tasks/epdg_ipsec_traffic.yml
+++ b/roles/epdg/tasks/epdg_ipsec_traffic.yml
@ -0,0 +1,41 @@
+---
+- name: create routing table epdg
+  lineinfile:
+    path: /etc/iproute2/rt_tables
+    line: "{{ epdg_ipsec_traffic_rtable_number }} {{ epdg_ipsec_traffic_rtable_name }}"
+    state: present
+    backup: yes
+
+- name: ensure interfaces.d exists (ifupdown)
+  file:
+    path: /etc/network/interfaces.d
+    state: directory
+  when: net_method == "ifupdown"
+
+- name: configure epdg specific interfaces (ifupdown)
+  template:
+    src: ifupdown_epdg.j2
+    dest: /etc/network/interfaces.d/epdg.conf
+  notify: ifup -a
+  when: net_method == "ifupdown"
+
+- name: ensure networkd.conf.d exists (ifupdown)
+  file:
+    path: /etc/systemd/networkd.conf.d/
+    state: directory
+  when: net_method == "networkd"
+
+- name: configure epdg routing table name (networkd)
+  template:
+    src: networkd_epdg.conf.j2
+    dest: /etc/systemd/networkd.conf.d/epdg.conf
+  notify: reload networkd
+  when: net_method == "networkd"
+
+- name: configure epdg specific interfaces (networkd)
+  template:
+    src: networkd_epdg.network.j2
+    dest: /etc/systemd/network/epdg.network
+  notify: reload networkd
+  when: net_method == "networkd"
+
--- a/roles/epdg/tasks/main.yml
+++ b/roles/epdg/tasks/main.yml
@ -75,3 +75,11 @@
    pkg:
      - libgtpnl-dev
      - libgtpnl-tools
+
+- name: setup ipsec traffic routing
+  ansible.builtin.include_tasks:
+    file: "epdg_ipsec_traffic.yml"
+    apply:
+      tags:
+        - epdg_ipsec_traffic
+  tags: epdg_ipsec_traffic
--- a/roles/epdg/templates/ifupdown_epdg.j2
+++ b/roles/epdg/templates/ifupdown_epdg.j2
@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+allow-hotplug {{ epdg_tun_interface }}
+iface gtp0 inet manual
+	up ip rule add fwmark {{ epdg_ipsec_traffic_fwmark }} table {{ epdg_ipsec_traffic_rtable_name }}
+	up ip route add default dev {{ epdg_tun_interface }} table {{ epdg_ipsec_traffic_rtable_name }}
+	down ip route del default dev {{ epdg_tun_interface }} table {{ epdg_ipsec_traffic_rtable_name }}
+	down ip rule del fwmark {{ epdg_ipsec_traffic_fwmark }} table {{ epdg_ipsec_traffic_rtable_name }}
--- a/roles/epdg/templates/networkd_epdg.conf.j2
+++ b/roles/epdg/templates/networkd_epdg.conf.j2
@ -0,0 +1,4 @@
+# {{ ansible_managed }}
+
+[NETWORK]
+RouteTable={{ epdg_ipsec_traffic_rtable_name }}:{{ epdg_ipsec_traffic_rtable_number }}
--- a/roles/epdg/templates/networkd_epdg.network.j2
+++ b/roles/epdg/templates/networkd_epdg.network.j2
@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+
+[Match]
+Name={{ epdg_tun_interface }}
+
+# ip rule add fwmark {{ epdg_ipsec_traffic_fwmark }} table {{ epdg_ipsec_traffic_rtable_name }}
+[RoutingPolicyRule]
+FirewallMark={{ epdg_ipsec_traffic_fwmark }}
+Table={{ epdg_ipsec_traffic_rtable_name }}
+
+#ip route add default dev {{ epdg_tun_interface }} table {{ epdg_ipsec_traffic_rtable_name }}
+[Route]
+Gateway=0.0.0.0
+Table={{ epdg_ipsec_traffic_rtable_name }}