Merge branch '26-fastd' into 'master'

Resolve "fastd"

Closes #26

See merge request !244

_modules/fastd.py

+import logging
+
+# compose mac for fastd interface
+def mac(port, host_id):
+    return ":".join(['02', 'FF', str(port)[:2], str(port)[2:], host_id, '03'])
+
+# enumerate fastd instance names for fastd exporter
+def all_instances():
+    tmp = []
+    for domain in __salt__['pillar.get']('domains'):
+        instances = __salt__['pillar.get']('domains:{0}:fastd:instances'.format(domain), [])
+        tmp.extend(["{0}{1}".format(domain, instance['mtu']) for instance in instances])
+    return tmp
+
+#  enumerate fastd interface names for mesh-announce
+def ifnames_for_domain(domain):
+    instances = __salt__['pillar.get']('domains:{}:fastd:instances'.format(domain), [])
+    return ["{0}-vpn-{1}".format(domain, instance['mtu']) for instance in instances]
+
+# enumerate ports to open up in ferm
+def ports_for_domain(domain):
+    instances = __salt__['pillar.get']('domains:{}:fastd:instances'.format(domain), [])
+    return [str(instance['port']) for instance in instances]

fastd/exporter.sls

+{%- set gopath = pillar.get('golang:gopath', '/usr/local/go') %}
+
+include:
+  - golang
+
+fastd-exporter:
+  git.latest:
+    - name: https://git.darmstadt.ccc.de/ffda/fastd-exporter
+    - target: {{ gopath }}/src/git.darmstadt.ccc.de/ffda/fastd-exporter
+  cmd.run:
+    - cwd: {{ gopath }}/src/git.darmstadt.ccc.de/ffda/fastd-exporter
+    - name: go install
+    - env:
+        GOPATH: {{ pillar.get('golang:gopath', '/usr/local/go') }}
+    - require:
+      - pkg: golang
+      - git: fastd-exporter
+    - onchanges:
+      - git: fastd-exporter
+  service.running:
+    - enable: True
+    - require:
+      - file: /etc/systemd/system/fastd-exporter.service
+    - watch:
+      - file: /etc/systemd/system/fastd-exporter.service
+      - cmd: fastd-exporter
+
+/etc/systemd/system/fastd-exporter.service:
+  file.managed:
+    - source: salt://fastd/files/fastd-exporter.service.j2
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+
+/etc/ferm/conf.d/40-fastd-exporter.conf:
+  file.managed:
+    - source: salt://fastd/files/ferm-fastd-exporter.conf.j2
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+    - require:
+      - file: /etc/ferm/conf.d
+
+prometheus_fastd_export:
+  grains.present:
+    - value: {{ grains.nodename }}:9281

fastd/files/fastd-default.conf.j2

+log to syslog level debug;
+hide ip addresses yes;
+hide mac addresses yes;
+status socket "/run/fastd-{{ domain }}-vpn-{{ mtu }}.sock";
+
+interface "{{ domain }}-vpn-{{ mtu }}";
+{% for host in grains['fqdn_ip4'] %}
+bind {{ host }}:{{ port }};
+{%- endfor %}
+{% for host in grains['fqdn_ip6'] if not host.startswith('fe80:') %}
+bind [{{ host }}]:{{ port }};
+{%- endfor %}
+
+mtu {{ mtu }};
+
+secret "{{ secret }}";
+{% for method in salt['pillar.get']('domains:%s:fastd:ciphers'|format(domain), ['none', 'salsa2012+umac']) %}
+method "{{ method }}";
+{%- endfor %}
+
+on verify "./verify $PEER_KEY";
+peer limit 100;

fastd/files/fastd-exporter.service.j2

+[Unit]
+Description=Fastd Prometheus Exporter
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/go/bin/fastd-exporter -instances {{ ','.join(salt['fastd.all_instances']()) }}
+
+[Install]
+WantedBy=multi-user.target

fastd/files/fastd@.service

+[Unit]
+Description=Fast and Secure Tunnelling Daemon (connection %I)
+After=network.target
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/fastd --syslog-level info --syslog-ident fastd@%I -c /etc/fastd/%I/fastd.conf
+ExecReload=/bin/kill -HUP $MAINPID
+
+[Install]
+WantedBy=multi-user.target
+

fastd/files/ferm-fastd-exporter.conf.j2

+domain (ip ip6) {
+  table filter {
+    chain INPUT {
+      proto tcp dport (9281) saddr (185.206.209.130 2a06:8187:fb11:1::2:1) ACCEPT;
+    }
+  }
+}

fastd/files/ferm.conf.j2

+{%- set ports = salt['fastd.ports_for_domain'](domain) %}
+
+domain (ip ip6) {
+  table filter {
+    chain INPUT {
+      interface ens5 proto udp dport ({{ " ".join(ports) }}) saddr (185.206.208.0/22 2a06:8187:fb00::/40) DROP;
+      interface ens5 proto udp dport ({{ " ".join(ports) }}) ACCEPT;
+    }
+  }
+}

fastd/files/verify.j2

+#!/bin/bash
+key=$1
+exit 0

fastd/init.sls

+fastd:
+{% if grains.osfinger == 'Debian-8' %}
+  pkg.installed:
+    - fromrepo: jessie-backports
+    - require:
+      - pkgrepo: jessie-backports
+{% else %}
+  pkg.installed
+{% endif %}
+
+tun:
+  kmod.present:
+    - persist: True
+
+fastd_disable_generic_autostart:
+  file.replace:
+    - name: /etc/default/fastd
+    - pattern: ^AUTOSTART=(.*)$
+    - repl: AUTOSTART="none"
+    - require:
+      - pkg: fastd
+
+
+include:
+  - fastd.exporter
+  - fastd.instances

fastd/instances.sls

+# for each domain
+{%- for domain in pillar.get('domains', {}) %}
+
+# assign fastd configuration
+{%- set fastd = salt['pillar.get']('domains:%s:fastd'|format(domain)) %}
+
+# open up ports in the firewall
+/etc/ferm/conf.d/40-fastd-{{ domain }}.conf:
+  file.managed:
+    - source: salt://fastd/files/ferm.conf.j2
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+    - context:
+        domain: {{ domain }}
+    - require:
+      - file: /etc/ferm/conf.d
+
+# and for each instance (varying mtu/port)
+{%- for instance in fastd['instances'] %}
+{%- set fastd_config_root = '/etc/fastd/{}{}'.format(domain, instance['mtu']) %}
+
+# create working directory
+{{ fastd_config_root }}:
+  file.directory:
+    - mode: 755
+    - makedirs: True
+
+# deploy fastd.conf
+{{ fastd_config_root }}/fastd.conf:
+  file.managed:
+    - source:
+      - salt://fastd/files/fastd-{{ domain }}.conf.j2
+      - salt://fastd/files/fastd-default.conf.j2
+    - user: root
+    - group: root
+    - mode: 600
+    - template: jinja
+    - context:
+        domain: {{ domain }}
+        port: {{ instance['port'] }}
+        mtu: {{ instance['mtu'] }}
+        secret: {{ fastd['secret'] }}
+
+# deploy verify
+{{ fastd_config_root }}/verify:
+  file.managed:
+    - source:
+      - salt://fastd/files/verify-{{ domain }}.j2
+      - salt://fastd/files/verify.j2
+    - user: root
+    - group: root
+    - mode: 600
+    - template: jinja
+
+# enable instances and watch for config changes
+fastd@{{ domain }}{{ instance['mtu'] }}:
+  service.running:
+    - enable: True
+    - require:
+      - pkg: fastd
+    - watch:
+      - file: {{ fastd_config_root }}/fastd.conf
+{%- endfor %}
+{%- endfor %}

mmfd/files/mmfd-network

 allow-hotplug mmfd0
 auto mmfd0
 iface mmfd0
-        address  {{ pillar.ifaces.mmfd0.prefixes }}
+{%- for prefix in pillar.get('ifaces.mmfd0.prefixes', {}) %}
+        address {{ prefix }}
+{%- endfor %}

network/domains-babel.sls

+{% for domain, data in pillar['domains'].items() %}
+
+/etc/network/interfaces.d/domain-{{ domain }}:
+  file.managed:
+    - source: salt://network/files/interfaces-domain.j2
+    - mode: 644
+    - user: root
+    - group: root
+    - template: jinja
+    - context:
+        domain: {{ domain }}
+        fastd: {{ data['fastd'] }}
+
+{% if grains['id'].startswith('gw') %}
+/etc/ferm/conf.d/20-domain-{{ domain }}.conf:
+  file.managed:
+    - source: salt://network/files/ferm-domain-babel.conf.j2
+    - user: root
+    - group: root
+    - mode: 644
+    - template: jinja
+    - context:
+        domain: {{ domain }}
+        routing: {{ pillar['routing'] }}
+{% endif %}
+
+{% endfor %}

network/files/ferm-domain-babel.conf.j2

+{%- set nets6 = salt['pillar.get']('domains:%s:ip6'|format(domain)).keys() %}
+{%- set mtu = salt['pillar.get']('domains:%s:mtu'|format(domain)) %}
+
+domain (ip ip6) {
+    table filter {
+        chain FORWARD {
+            daddr ({{ " ".join(nets6) }}) {
+                ACCEPT;
+            }
+            saddr ({{ " ".join(nets6) }}) {
+                proto tcp dport smtp REJECT;
+                ACCEPT;
+            }
+        }
+    }
+}

network/files/interfaces-domain.j2

-{%- if mesh_proto.startswith('batman-adv') %}
-# mesh proto (batman-adv)
+{%- set with_batman_adv = salt['pillar.get']('domains:%s:batman-adv'|format(domain), False) %}
+{%- set with_fastd = salt['pillar.get']('domains:%s:fastd'|format(domain), False) %}
+
+{% if with_batman_adv %}
+# batman mesh interface
 allow-hotplug {{ domain }}-bat
 iface {{ domain }}-bat
 	pre-up ip link set address {{ ":".join(['02', 'FF'] + pillar['regions'][domain]['mac'] + [pillar['host']['id']['primary'], '02'])  }} dev $IFACE
-{%- if mesh_proto == 'batman-adv' %}
-{%- if 'mm' in batman_adv['features'] and batman_adv['features']['mm'] %}
-	post-up batctl -m $IFACE mm 1
-	post-up echo 2 > /sys/class/net/$IFACE/brport/multicast_router
-{%- else %}
-	post-up batctl -m $IFACE mm 0
-{%- endif %}
-{%- endif %}
-{%- if 'dat' in batman_adv['features'] and not batman_adv['features']['dat'] %}
+	post-up brctl addif {{ domain }}-br $IFACE
+	pre-down brctl delif {{ domain }}-br $IFACE
+	# disable ipv6 autoconfig
+	pre-up echo 0 > /proc/sys/net/ipv6/conf/$IFACE/accept_ra
+	{%- if salt['pillar.get']('domains:%s:batman-adv:features:dat'|format(domain), False) %}
+	# distributed arp table enabled
+	post-up batctl -m $IFACE dat 1
+	{%- else %}
+	# distributed arp table disabled
 	post-up batctl -m $IFACE dat 0
-{%- endif %}
-{%- if 'hop_penalty' in batman_adv %}
-	post-up echo {{ batman_adv['hop_penalty'] }} > /sys/class/net/$IFACE/mesh/hop_penalty
-{%- endif -%}
-{%- if 'gw_mode' in batman_adv and batman_adv['gw_mode']['enabled'] %}
-	post-up batctl -m $IFACE gw server {{ batman_adv['gw_mode']['uplink'] }}/{{ batman_adv['gw_mode']['downlink'] }}
-{%- endif %}
-        pre-up brctl addbr {{ domain }}-br
-        post-up brctl addif {{ domain }}-br $IFACE
+	{%- endif %}
+	{%- if salt['pillar.get']('domains:%s:batman-adv:hop_penalty'|format(domain), False) %}
+	# hop penalty
+	post-up echo {{ salt['pillar.get']('domains:%s:batman-adv:hop_penalty'|format(domain)) }} > /sys/class/net/$IFACE/mesh/hop_penalty
+	{%- else %}
+	# hop penalty remains at default
+	{%- endif %}
+	{%- if salt['pillar.get']('domains:%s:batman-adv:gw_mode:enabled'|format(domain), False) %}
+	# gateway mode enabled
+	{%- set uplink = salt['pillar.get']('domains:%s:batman-adv:gw_mode:uplink', '100mbit') %}
+	{%- set downlink = salt['pillar.get']('domains:%s:batman-adv:gw_mode:uplink', '100mbit') %}
+	post-up batctl -m $IFACE gw server {{ uplink }}/{{ downlink }}
+	{%- endif %}
 {% endif %}
 
 # l2 transport
-auto {{ domain }}-port
-iface {{ domain }}-port
+auto {{ domain }}-tp
+iface {{ domain }}-tp
 	pre-up ip link set up dev $IFACE
-{%- if mesh_proto.startswith('batman-adv') %}
+{% if with_batman_adv %}
 	pre-up ip link set mtu {{ pillar['domains'][domain]['mtu'] }} dev $IFACE
 	post-up batctl -m {{ domain }}-bat if add $IFACE
 	post-up ip link set up dev {{ domain }}-bat || true
 {% endif %}
 
+{%- if 'gateway' in pillar.roles and with_fastd %}
+{%- for instance in salt['pillar.get']('domains:%s:fastd:instances'|format(domain)) %}
 # l2 tunnel (fastd)
-allow-hotplug {{ domain }}-vpn
-iface {{ domain }}-vpn
-	pre-up ip link set address {{ ":".join(['02', 'FF'] + pillar['regions'][domain]['mac'] + [pillar['host']['id']['primary'], '03']) }} dev $IFACE
+allow-hotplug {{ domain }}-vpn-{{ instance['mtu'] }}
+iface {{ domain }}-vpn-{{ instance['mtu'] }}
+	pre-up ip link set address {{ salt['fastd.mac'](instance['port'], salt['pillar.get']('host:id:primary')) }} dev $IFACE
 	pre-up ip link set up dev $IFACE
-{%- if mesh_proto.startswith('batman-adv') %}
+	{%- if with_batman_adv %}
+	# batman-adv specific hooks
 	post-up batctl -m {{ domain }}-bat if add $IFACE
 	post-up ip link set up dev {{ domain }}-bat || true
-{% endif %}
+	{%- endif %}
+
+{%- endfor %}
+{%- endif %}

top.sls

@@ -135,6 +135,8 @@ base:
     - kernel
     - kernel.sysctl
     - network
+    - network.domains
     - mmfd
     - l3roamd
     - babeld
+    - fastd