From 8981d527333372b09ef5a82e343fb3c839068121 Mon Sep 17 00:00:00 2001 From: ruben Date: Fri, 8 May 2015 02:38:08 +0200 Subject: [PATCH] Add second fastd instance with MTU 1280 to circumvent unstable connections with Kabel Deutschland --- manifests/fastd.pp | 28 +++++++++++++++++--- manifests/init.pp | 36 ++++++++++++++------------ templates/etc/fastd/fastd-low.conf.erb | 23 ++++++++++++++++ 3 files changed, 68 insertions(+), 19 deletions(-) create mode 100644 templates/etc/fastd/fastd-low.conf.erb diff --git a/manifests/fastd.pp b/manifests/fastd.pp index c6bc538..e4a174f 100644 --- a/manifests/fastd.pp +++ b/manifests/fastd.pp @@ -3,10 +3,10 @@ , $mesh_mac , $vpn_mac , $mesh_mtu = 1426 - + , $mesh_mtu_low = 1280 , $fastd_secret , $fastd_port - + , $fastd_low_port , $fastd_peers_git ) { #validate_re($mesh_mac, '^de:ad:be:[0-9a-f]{2}:[0-9a-f]{2}:[0-9a-f]{2}$') @@ -16,7 +16,7 @@ ffnord::monitor::nrpe::check_command { "fastd_${mesh_code}": - command => "/usr/lib/nagios/plugins/check_procs -c 1:1 -w 1:1 -C fastd -a \"${mesh_code}-mesh-vpn\""; + command => "/usr/lib/nagios/plugins/check_procs -c 1:1 -w 1:1 -C fastd --ereg-argument \"${mesh_code}-mesh-vpn\\b\"\n/usr/lib/nagios/plugins/check_procs -c 1:1 -w 1:1 -C fastd -a \"${mesh_code}-mesh-low-vpn\""; } ffnord::monitor::zabbix::check_script { @@ -43,6 +43,19 @@ source => $fastd_secret, mode => '0600', } -> + file { + "/etc/fastd/${mesh_code}-mesh-low-vpn/": + ensure =>directory, + require => Package[ffnord::resources::fastd]; + "/etc/fastd/${mesh_code}-mesh-low-vpn/fastd.conf": + ensure => file, + notify => Service[ffnord::resources::fastd], + content => template('ffnord/etc/fastd/fastd-low.conf.erb'); + "/etc/fastd/${mesh_code}-mesh-low-vpn/secret.conf": + ensure => file, + source => $fastd_secret, + mode => '0600', + } -> ffnord::batman-adv { "ffnord_batman_adv_${mesh_code}": mesh_code => $mesh_code; } -> @@ -52,11 +65,20 @@ source => $fastd_peers_git, notify => Class[ffnord::resources::fastd::auto_fetch_keys]; } -> + file { "/etc/fastd/${mesh_code}-mesh-low-vpn/peers": + ensure => 'link', + target => "/etc/fastd/${mesh_code}-mesh-vpn/peers", + } ffnord::firewall::service { "fastd-${mesh_code}": ports => [$fastd_port], protos => ['udp'], chains => ['wan'] } + ffnord::firewall::service { "fastd-low-${mesh_code}": + ports => [$fastd_low_port], + protos => ['udp'], + chains => ['wan'] + } file { "/etc/fastd/${mesh_code}-mesh-vpn/peers/.git/hooks/post-merge": diff --git a/manifests/init.pp b/manifests/init.pp index 21565d3..baae719 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -1,21 +1,23 @@ define ffnord::mesh( - $mesh_name, # Name of your community, e.g.: Freifunk Gotham City - $mesh_code, # Code of your community, e.g.: ffgc - $mesh_as, # AS of your community - $mesh_mac, # mac address mesh device: 52:54:00:bd:e6:d4 - $vpn_mac, # mac address vpn device, ideally != mesh_mac and unique - $mesh_mtu = 1426, # mtu used, default only suitable for fastd via ipv4 - $range_ipv4, # ipv4 range allocated to community in cidr notation, e.g. 10.35.0.1/16 - $mesh_ipv4, # ipv4 address in cidr notation, e.g. 10.35.0.1/19 - $mesh_ipv6, # ipv6 address in cidr notation, e.g. fd35:f308:a922::ff00/64 - $mesh_peerings, # path to the local peerings description yaml file + $mesh_name, # Name of your community, e.g.: Freifunk Gotham City + $mesh_code, # Code of your community, e.g.: ffgc + $mesh_as, # AS of your community + $mesh_mac, # mac address mesh device: 52:54:00:bd:e6:d4 + $vpn_mac, # mac address vpn device, ideally != mesh_mac and unique + $mesh_mtu = 1426, # mtu used, default only suitable for fastd via ipv4 + $mesh_mtu_low = 1280, # mtu used for new fastd instance that is "Kabel Deutschland safe" + $range_ipv4, # ipv4 range allocated to community in cidr notation, e.g. 10.35.0.1/16 + $mesh_ipv4, # ipv4 address in cidr notation, e.g. 10.35.0.1/19 + $mesh_ipv6, # ipv6 address in cidr notation, e.g. fd35:f308:a922::ff00/64 + $mesh_peerings, # path to the local peerings description yaml file + + $fastd_peers_git, # fastd peers + $fastd_secret, # fastd secret + $fastd_port, # fastd port + $fastd_low_port = 11280, # fastd port for second fastd instance with $mesh_mtu_low - $fastd_peers_git, # fastd peers - $fastd_secret, # fastd secret - $fastd_port, # fastd port - - $dhcp_ranges = [], # dhcp pool - $dns_servers = [], # other dns servers in your network + $dhcp_ranges = [], # dhcp pool + $dns_servers = [], # other dns servers in your network ) { # TODO We should handle parameters in a param class pattern. @@ -68,8 +70,10 @@ mesh_mac => $mesh_mac, vpn_mac => $vpn_mac, mesh_mtu => $mesh_mtu, + mesh_mtu_low => $mesh_mtu_low, fastd_secret => $fastd_secret, fastd_port => $fastd_port, + fastd_low_port => $fastd_low_port, fastd_peers_git => $fastd_peers_git; } -> ffnord::radvd { "br-${mesh_code}": diff --git a/templates/etc/fastd/fastd-low.conf.erb b/templates/etc/fastd/fastd-low.conf.erb new file mode 100644 index 0000000..71aa06a --- /dev/null +++ b/templates/etc/fastd/fastd-low.conf.erb @@ -0,0 +1,23 @@ +# managed by puppet -- editing is futile + +log to syslog as "fastd-low-<%= @mesh_code %>" level error; +interface "<%= @mesh_code %>-mesh-low-vpn"; +method "salsa2012+umac"; # since fastd v15 +method "salsa2012+gmac"; +method "xsalsa20-poly1305"; # deprecated +bind any:<%= @fastd_low_port %>; +hide ip addresses yes; +hide mac addresses yes; +include "secret.conf"; +mtu <%= @mesh_mtu_low %>; +status socket "/var/run/fastd-status.<%= @mesh_code %>.sock"; +include peers from "peers"; +on up " + modprobe batman-adv + ip link set address <%= @vpn_mac %> dev $INTERFACE + /usr/sbin/batctl -m bat-<%= @mesh_code %> if add $INTERFACE + ip link set address <%= @mesh_mac %> dev bat-<%= @mesh_code %> + ifup bat-<%= @mesh_code %> + ip link set up dev $INTERFACE + #service alfred start bat-<%= @mesh_code %> +";