gre/tun: init

gre/files/ferm-tun.conf.j2

+domain (ip ip6) {
+  table filter {
+    chain INPUT {
+      proto gre saddr (
+{% for name, interface in pillar.ifaces.items() if 'mode' in interface %}
+{%- if interface.mode == 'gretun' -%}
+        {{ interface.remote }}
+{%- endif %}
+{%- endfor %}
+      ) ACCEPT;
+    }
+  }
+}

gre/files/tun.j2

+{%- for name, interface in pillar.ifaces.items() if 'mode' in interface -%}
+{%- if interface.mode == 'gretun' -%}
+auto {{ name }}
+iface {{ name }} inet tunnel
+	mode	gre
+	endpoint	{{ interface.remote }}
+	local	{{ interface.local }}
+	{% if 'ttl' in interface %}ttl	{{ interface.ttl }} {% endif %}
+	{% if 'dev' in interface %}tunnel-physdev	{{ interface.dev }}{% endif %}
+	{%- if 'mtu' in interface %}
+	pre-up ip link set mtu {{ interface.mtu }} dev $IFACE
+	{%- endif %}
+	{%- for prefix in interface.prefixes %}
+	address	{{ prefix }}
+	{%- endfor -%}
+
+{% endif %}
+{%- endfor -%}

gre/tap.sls

@@ -17,7 +17,7 @@ ifreload-on-gretap:
 
 /etc/ferm/conf.d/20-gretap.conf:
   file.managed:
-    - source: salt://gre/files/ferm.conf.j2
+    - source: salt://gre/files/ferm-tap.conf.j2
     - template: jinja
     - require:
       - file: /etc/ferm/conf.d

gre/tun.sls

+/etc/network/interfaces.d/gre:
+  file.managed:
+    - source: salt://gre/files/tun.j2
+    - mode: 644
+    - user: root
+    - group: root
+    - template: jinja
+    - makedirs: True
+
+ifreload-on-gretun:
+  cmd.wait:
+    - name: /sbin/ifreload -af
+    - watch:
+      - file: /etc/network/interfaces.d/gre
+    - require:
+      - file: /etc/network/interfaces.d/gre
+
+/etc/ferm/conf.d/20-gre.conf:
+  file.managed:
+    - source: salt://gre/files/ferm-tun.conf.j2
+    - template: jinja
+    - require:
+      - file: /etc/ferm/conf.d

top.sls

@@ -107,6 +107,7 @@ base:
     - kernel.sysctl
     - network
     - gre.tap
+    - gre.tun
   'rr*.as64475.net':
     - bird
     - bird.bgp