more work on edge.... adding support for dynamic ipsec subnets and some more minor patches

2018-10-19 19:57:07 +02:00 · 2018-10-19 19:57:07 +02:00 · ea70e243fe
parent 587bba4290
commit ea70e243fe
3 changed files with 31 additions and 15 deletions
--- a/debian/wit-network-config.postinst
+++ b/debian/wit-network-config.postinst
@ -24,13 +24,19 @@ case "$1" in
        IFCONFIG="/etc/network/interfaces"
        UDEVCONFIG="/etc/udev/rules.d/70-persistent-net.rules"
        FRRCONFIG="/etc/frr/frr.conf.wit"
+	IPSECCONFIG="/etc/ipsec.conf.wit"


-        HOSTNAME=edge2.usw2.admin.wit.com
+	#HOSTNAME=d21.usw2.admin.wit.com
+        HOSTNAME=bastion.usw2.admin.wit.com
+        #HOSTNAME=edge2.usw2.admin.wit.com
+
        IFCONFIG="/tmp/interfaces"
        UDEVCONFIG="/tmp/70-persistent-net.rules"
        FRRCONFIG="/tmp/frr.conf.wit"
+	IPSECCONFIG="/tmp/ipsec.conf.wit"
        cp files/frr.conf.wit /tmp
+        cp files/ipsec.conf.wit /tmp


     ## START gather all the info from the box and generate the variabels
@ -60,7 +66,7 @@ case "$1" in
     ## START nic config compile


-      # wiping existing config in prep for de-deploying it
+      # wiping existing config in prep for re-deploying it
        mv -f ${IFCONFIG} ${IFCONFIG}.dpkg-old || true
        mv -f ${UDEVCONFIG} ${UDEVCONFIG}.dpkg-old || true

@ -200,6 +206,7 @@ case "$1" in

     ## START compiling frr config

+         ## compile public IP space prefix lists, this is what's going to be advertised out the upstream provider
            i=1
            while true; do 
                TEMP="$(dig_txt $i.ipv4.public.prefixlist.usw2.admin.wit.com)" || break
@ -220,6 +227,8 @@ case "$1" in
                let i+=1
            done

+
+         ## compile customer IP blocks that we accept. this in theory should be a combination of *all* public blocks used accross regions while limiting it a smaller subnet size
            i=1
            while true; do 
                TEMP="$(dig_txt $i.ipv4.customers.prefixlist.usw2.admin.wit.com)" || break
@ -237,11 +246,14 @@ case "$1" in
            done


+	 ## compile loopback IP blocks that we wanna accept to be injected into the bgp
            i=1
            while true; do 
                TEMP="$(dig_txt $i.ipv4.loopback.prefixlist.usw2.admin.wit.com)" || break
                TEMPSUM="ip prefix-list LOOPBACKv4 seq $((i*5)) permit ${TEMP} ge 32\n"
                FRR_IPV4_LOOPBACK_PFLIST="${FRR_IPV4_LOOPBACK_PFLIST}${TEMPSUM}"
+		[ -z $IPSEC_IPV4_SUBNETS ] || IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS},"
+		IPSEC_IPV4_SUBNETS="${IPSEC_IPV4_SUBNETS}${TEMP}"
                let i+=1
            done

@ -250,6 +262,8 @@ case "$1" in
                TEMP="$(dig_txt $i.ipv6.loopback.prefixlist.usw2.admin.wit.com)" || break
                TEMPSUM="ipv6 prefix-list LOOPBACKv6 seq $((i*5)) permit ${TEMP} ge 128\n"
                FRR_IPV6_LOOPBACK_PFLIST="${FRR_IPV6_LOOPBACK_PFLIST}${TEMPSUM}"
+		[ -z $IPSEC_IPV6_SUBNETS ] || IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS},"
+		IPSEC_IPV6_SUBNETS="${IPSEC_IPV6_SUBNETS}${TEMP}"
                let i+=1
            done

@ -275,16 +289,22 @@ case "$1" in
                -e "s/NODEASN/${NODEASN}/"  \
                $FRRCONFIG
 	[ -z $FRR_EDGE_NEIGH ] || sed -i -e 's/!!!  //' $FRRCONFIG
-exit 2
-        chown frr.frr $FRRCONFIG /etc/frr/daemons.wit



      # set ipsec config
-        sed -i -e "s/FQHOSTNAME/${HOSTNAME}/" /etc/ipsec.conf.wit
+        sed -i \
+                -e "s/FQHOSTNAME/${HOSTNAME}/" \
+                -e "s/IPSEC_IPV4_SUBNETS/$IPSEC_IPV4_SUBNETS/" \
+                -e "s/IPSEC_IPV6_SUBNETS/$IPSEC_IPV6_SUBNETS/" \
+                $IPSECCONFIG
+exit 100
        echo ": RSA ${HOSTNAME}.key" >/etc/ipsec.secrets


+        chown frr.frr $FRRCONFIG /etc/frr/daemons.wit
+
+

      # wite grub rules for serial terminal
        sed -i -e '/GRUB_CMDLINE_LINUX_DEFAULT=/d' -e '/GRUB_CMDLINE_LINUX=/d' -e '/GRUB_SERIAL_COMMAND=/d' -e '/GRUB_TERMINAL=/d' /etc/default/grub
--- a/files/frr.conf.wit
+++ b/files/frr.conf.wit
@ -186,12 +186,8 @@ route-map LOCALNETSv6 permit 5
 !!!   match ip address prefix-list DEFAULT
 !!!  !
 !!!  route-map FABRICv4-OUT permit 10
-!!!   description "allow loopback IPs"
-!!!   match ip address prefix-list LOOPBACKv4
-!!!  !
-!!!  route-map FABRICv4-OUT permit 15
-!!!   description "allow WIT public IPs"
-!!!   match ip address prefix-list WITV4
+!!!   description "allow WIT customer IPs"
+!!!   match ip address prefix-list WITv4-CUSTOMERS
 !!!  !


--- a/files/ipsec.conf.wit
+++ b/files/ipsec.conf.wit
@ -27,14 +27,14 @@ conn %default

 conn loopback4
    leftsourceip=%config4
-    leftsubnet=10.1.0.0/16
-    rightsubnet=10.1.0.0/16
+    leftsubnet=IPSEC_IPV4_SUBNETS
+    rightsubnet=IPSEC_IPV4_SUBNETS
    right=%any4


 conn loopback6
    leftsourceip=%config6
-    leftsubnet=2604:bbc0:0:100::/56
-    rightsubnet=2604:bbc0:0:100::/56
+    leftsubnet=IPSEC_IPV6_SUBNETS
+    rightsubnet=IPSEC_IPV6_SUBNETS
    right=%any6