diff --git a/fastd/files/fastd-default.conf.j2 b/fastd/files/fastd-default.conf.j2
index d5015f7f875a0b2df952ba21585f9af6421a9afc..5a5090b3c1c3318a4a7932e34e17914a344ddb8f 100644
--- a/fastd/files/fastd-default.conf.j2
+++ b/fastd/files/fastd-default.conf.j2
@@ -4,7 +4,6 @@ hide ip addresses no;
hide mac addresses no;
status socket "/run/fastd-dom{{ domain_id }}-vpn-{{ mtu }}.sock";
-interface "dom{{ domain_id }}-vpn-{{ mtu }}";
{% for host in grains['fqdn_ip4']|unique|list %}
bind {{ host }}:{{ port }};
{%- endfor %}
@@ -12,15 +11,17 @@ bind {{ host }}:{{ port }};
bind [{{ host }}]:{{ port }};
{%- endfor %}
+interface "dom{{ domain_id }}-vpn-%k";
+persist interface no;
mtu {{ mtu }};
+mode multitap;
+offload l2tp yes;
secret "{{ salt['pillar.get']('fastd:secret') }}";
-{% for method in salt['pillar.get']('fastd:ciphers', ['null', 'salsa2012+umac']) %}
+{% for method in salt['pillar.get']('fastd:ciphers', ['null@l2tp', 'null', 'salsa2012+umac']) %}
method "{{ method }}";
{%- endfor %}
-on up "ip link set address {{ salt['net.fastd_mac'](domain_id, host_id) }} dev $INTERFACE && /sbin/ip link set master dom{{ domain_id }}-bat dev $INTERFACE && /sbin/ip link set dev $INTERFACE up";
-
{%- if salt['pillar.get']('domains:%s:fastd:peer_groups'|format(domain),false) %}
{% for group_name in salt['pillar.get']('domains:%s:fastd:peer_groups'|format(domain)) %}
{%- set group = salt['pillar.get']('fastd:peer_groups:%s'|format(group_name)) %}
diff --git a/network/domains-batman-systemd.sls b/network/domains-batman-systemd.sls
index 535189b911b71c11c1076aa7185a31c3a6b05f06..e5fb66dffea2259a948e6e45d1771e7131424527 100644
--- a/network/domains-batman-systemd.sls
+++ b/network/domains-batman-systemd.sls
@@ -2,9 +2,9 @@ include:
- systemd
{% set transport_interface = salt['pillar.get']('ferm:transport_interface', 'ens14') %}
-/etc/network/interfaces.d/{{ transport_interface }}:
+/etc/systemd/network/20-{{ transport_interface }}.network:
file.managed:
- - source: salt://network/files/transport_interface.j2
+ - source: salt://network/files/systemd/transport_interface.network.j2
- mode: '0644'
- user: root
- group: root
@@ -39,33 +39,12 @@ dom.service:
service.masked
{% for domain in salt['pillar.get']('domains', {}).keys() %}
-{% set domain_id = salt['pillar.get']('domains:%s:domain_id'|format(domain)) %}
+{% set domain_id = salt['pillar.get']('domains:%s:domain_id' | format(domain)) %}
/opt/multidomain/dom_{{ domain_id }}_up.sh:
file.absent
- file.managed:
- - source: salt://network/files/ifup-domain-batman.sh.j2
- - mode: '0700'
- - user: root
- - group: root
- - template: jinja
- - makedirs: True
- - context:
- domain: {{ domain }}
- domain_id: {{ domain_id }}
- vtep: {{ pillar['vtep'] }}
/opt/multidomain/dom_{{ domain_id }}_down.sh:
file.absent
- file.managed:
- - source: salt://network/files/ifdown-domain-batman.sh.j2
- - mode: '0700'
- - user: root
- - group: root
- - template: jinja
- - makedirs: True
- - context:
- domain: {{ domain }}
- domain_id: {{ domain_id }}
/etc/network/interfaces.d/dom{{ domain_id }}:
file.absent
@@ -82,6 +61,63 @@ dom.service:
domain: {{ domain }}
domain_id: {{ domain_id }}
routing: {{ pillar['routing'] }}
+
+
+/etc/systemd/network/30-{{ domain }}-bat.netdev:
+ file.managed:
+ - source: salt://network/files/systemd/batadv.netdev.j2
+ - mode: '0644'
+ - user: root
+ - group: root
+ - template: jinja
+/etc/systemd/network/30-{{ domain }}-bat.network:
+ file.managed:
+ - source: salt://network/files/systemd/batadv.network.j2
+ - mode: '0644'
+ - user: root
+ - group: root
+ - template: jinja
+
+
+/etc/systemd/network/40-{{ domain }}-tp.netdev:
+ file.managed:
+ - source: salt://network/files/systemd/vxlan_batadv.netdev.j2
+ - mode: '0644'
+ - user: root
+ - group: root
+ - template: jinja
+/etc/systemd/network/40-{{ domain }}-tp.network:
+ file.managed:
+ - source: salt://network/files/systemd/vxlan_batadv.network.j2
+ - mode: '0644'
+ - user: root
+ - group: root
+ - template: jinja
+
+
+/etc/systemd/network/50-{{ domain }}-peers-br.netdev:
+ file.managed:
+ - source: salt://network/files/systemd/peers_bridge.netdev.j2
+ - mode: '0644'
+ - user: root
+ - group: root
+ - template: jinja
+/etc/systemd/network/50-{{ domain }}-peers-br.network:
+ file.managed:
+ - source: salt://network/files/systemd/peers_bridge.network.j2
+ - mode: '0644'
+ - user: root
+ - group: root
+ - template: jinja
+
+
+/etc/systemd/network/60-{{ domain }}-vpn.network:
+ file.managed:
+ - source: salt://network/files/systemd/fastd_peer.network.j2
+ - mode: '0644'
+ - user: root
+ - group: root
+ - template: jinja
{% endif %}
dom@{{ domain_id }}.service:
diff --git a/network/files/systemd/batadv.netdev.j2 b/network/files/systemd/batadv.netdev.j2
index d579fc753c88bc57849599fa6f2909558a6568c2..af7988391e76e484d25cc623cb42255aab9239e9 100644
--- a/network/files/systemd/batadv.netdev.j2
+++ b/network/files/systemd/batadv.netdev.j2
@@ -8,7 +8,6 @@ MACAddress={{ salt['net.batadv_mac'](domain_id, salt['pillar.get']('host:id:prim
RoutingAlgorithm=batman-iv
OriginatorIntervalSec=5
-
{% if salt['pillar.get']('domains:%s:batman-adv:gw_mode:enabled'|format(domain), False) %}
HopPenalty=15
GatewayMode=server
diff --git a/network/files/systemd/batadv.network.j2 b/network/files/systemd/batadv.network.j2
index e0360e10101b1f290a733d2c3fb143d34c9b13e6..6bf1333e96741aa9866feaf41e4f0ac1ee758499 100644
--- a/network/files/systemd/batadv.network.j2
+++ b/network/files/systemd/batadv.network.j2
@@ -5,11 +5,11 @@ Name={{ domain }}-bat
RequiredForOnline=false
[Network]
-{%- if salt['pillar.get']('domains:%s:IPv4:address'|format(domain), {}) %}
-Address={{ salt['pillar.get']('domains:%s:IPv4:address'|format(domain)) }}
+{%- if salt['pillar.get']('domains:%s:IPv4:address' | format(domain), {}) %}
+Address={{ salt['pillar.get']('domains:%s:IPv4:address' | format(domain)) }}
{%- endif %}
-{%- if salt['pillar.get']('domains:%s:IPv6:address'|format(domain), {})%}
-{%- for address in salt['pillar.get']('domains:%s:IPv6:address'|format(domain), {}) %}
+{%- if salt['pillar.get']('domains:%s:IPv6:address' | format(domain), {})%}
+{%- for address in salt['pillar.get']('domains:%s:IPv6:address' | format(domain), {}) %}
Address={{ address }}/64
{%- endfor %}
{%- endif %}
@@ -26,7 +26,7 @@ OtherInformation=true
RouterLifetimeSec=1800
RouterPreference=high
-{%- for prefix,prefixval in pillar['domains'][domain]['IPv6']['subnets'].items()|sort %}
+{%- for prefix,prefixval in pillar['domains'][domain]['IPv6']['subnets'].items() | sort %}
{%- if not ('announce' in prefixval and prefixval['announce'] == False ) %}
[IPv6Prefix]
Prefix={{ prefix }}
@@ -36,5 +36,4 @@ Prefix={{ prefix }}
[IPv6PREF64Prefix]
Prefix=64:ff9b::/96
ValidLifetimeSec=1800
-
{%- endif %}
diff --git a/network/files/systemd/fastd_peer.network.j2 b/network/files/systemd/fastd_peer.network.j2
new file mode 100644
index 0000000000000000000000000000000000000000..490d578d9e2e02b73eb1b99b04c3e6a00a95448b
--- /dev/null
+++ b/network/files/systemd/fastd_peer.network.j2
@@ -0,0 +1,14 @@
+[Match]
+Name={{ domain }}-vpn-*
+
+[Link]
+RequiredForOnline=false
+
+[Network]
+Bridge={{ domain }}-peers-br
+DHCP=no
+IPv6AcceptRA=false
+LinkLocalAddressing=no
+
+[Bridge]
+Isolated=True
diff --git a/network/files/systemd/peers_bridge.netdev.j2 b/network/files/systemd/peers_bridge.netdev.j2
new file mode 100644
index 0000000000000000000000000000000000000000..1aefaef9028782706143a8e00b7259354470314b
--- /dev/null
+++ b/network/files/systemd/peers_bridge.netdev.j2
@@ -0,0 +1,6 @@
+[NetDev]
+Kind=bridge
+Name={{ domain }}-peers-br
+
+[Bridge]
+STP=off
diff --git a/network/files/systemd/peers_bridge.network.j2 b/network/files/systemd/peers_bridge.network.j2
new file mode 100644
index 0000000000000000000000000000000000000000..be00162a573d6d23cf543da03e6dc4aae2a5117a
--- /dev/null
+++ b/network/files/systemd/peers_bridge.network.j2
@@ -0,0 +1,11 @@
+[Match]
+Name={{ domain }}-peers-br
+
+[Link]
+RequiredForOnline=false
+
+[Network]
+BatmanAdvanced={{ domain }}-bat
+DHCP=no
+IPv6AcceptRA=false
+LinkLocalAddressing=yes
diff --git a/network/files/systemd/transport_interface.network.j2 b/network/files/systemd/transport_interface.network.j2
new file mode 100644
index 0000000000000000000000000000000000000000..9dd0b0faf942f0b9cc7b2805fb7801c4e78e5dff
--- /dev/null
+++ b/network/files/systemd/transport_interface.network.j2
@@ -0,0 +1,15 @@
+[Match]
+Name={{ name }}
+
+[Link]
+MTUBytes=9000
+
+[Network]
+IPv6AcceptRA=false
+DHCP=no
+IPv6AcceptRA=false
+LinkLocalAddressing=yes
+
+{% for domain in salt['pillar.get']('domains', {}).keys() %}
+VXLAN={{ domain }}-tp
+{% endfor %}
diff --git a/network/files/systemd/vm_interface.network.j2 b/network/files/systemd/vm_interface.network.j2
new file mode 100644
index 0000000000000000000000000000000000000000..2e1fac44d77a917c32bff4d089fb168a35d8068b
--- /dev/null
+++ b/network/files/systemd/vm_interface.network.j2
@@ -0,0 +1,19 @@
+[Match]
+Name={{ name }}
+
+[Network]
+IPv6AcceptRA=false
+Address=169.254.42.2/24
+{% for address in salt['pillar.get']('interfaces:%s:addresses' | format(name)) %}
+Address={{ address }}
+{% endfor %}
+
+[Route]
+Destination=0.0.0.0/0
+Gateway=169.254.42.1
+PreferredSource={{ canonical_ip_4 }}
+
+[Route]
+Destination=::/0
+Gateway=fe80::42:1
+PreferredSource={{ canonical_ip_6 }}
diff --git a/network/files/systemd/vxlan_batadv.netdev.j2 b/network/files/systemd/vxlan_batadv.netdev.j2
new file mode 100644
index 0000000000000000000000000000000000000000..d26855ef370e3965db611a3901f7af51cf31d387
--- /dev/null
+++ b/network/files/systemd/vxlan_batadv.netdev.j2
@@ -0,0 +1,17 @@
+[NetDev]
+Kind=vxlan
+Name={{ domain }}-tp
+MTUBytes={{ salt['pillar.get']('domains:%s:mtu' | format(domain), 1312) }}
+MACAddress={{ salt['net.vxlan_mac'](domain_id, host_id) }}
+
+[VXLAN]
+DestinationPort=4789
+MacLearning=true
+UDPChecksum=false
+UDP6ZeroChecksumTx=true
+UDP6ZeroChecksumRx=true
+RemoteChecksumTx=false
+RemoteChecksumRx=false
+Group=ff02::15c
+Local={{ grains.fqdn_ip6.0 }}
+VNI={{ salt['pillar.get']('domains:%s:vxlan_vid' | format(domain)) }}
diff --git a/network/files/systemd/vxlan_batadv.network.j2 b/network/files/systemd/vxlan_batadv.network.j2
new file mode 100644
index 0000000000000000000000000000000000000000..acc503624e198851b716d445f8c112ae272f44b3
--- /dev/null
+++ b/network/files/systemd/vxlan_batadv.network.j2
@@ -0,0 +1,17 @@
+[Match]
+Name={{ domain }}-tp
+
+[Link]
+RequiredForOnline=false
+
+[Network]
+BatmanAdvanced={{ domain }}-bat
+DHCP=no
+IPv6AcceptRA=false
+LinkLocalAddressing=yes
+
+{%- for vtepIP in vtep.values() | sort %}
+[BridgeFDB]
+MACAddress=00:00:00:00:00:00
+Destination={{ vtepIP }}
+{%- endfor %}
diff --git a/network/files/transport_interface.j2 b/network/files/transport_interface.j2
deleted file mode 100644
index e1de537ed9d049fb0f920820e0d3ce6d69d6fdc3..0000000000000000000000000000000000000000
--- a/network/files/transport_interface.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-auto {{ name }}
-iface {{ name }}
- mtu 9000
- accept_ra 0
- autoconf 0
- dad-attempts 0
- post-up ethtool -K $IFACE tx off rx off
diff --git a/network/systemd.sls b/network/systemd.sls
index eccf71b0621598c4dd8dff2bf8621cb4869a51a6..8e7af04339e3d6bdfb47c37fde016bb35fd49f80 100644
--- a/network/systemd.sls
+++ b/network/systemd.sls
@@ -5,6 +5,19 @@
include:
- systemd
+{% if salt['pillar.get']('is_vm', false) %}
+{% set vm_interface = 'ens13' %}
+/etc/systemd/network/20-{{ vm_interface }}.network:
+ file.managed:
+ - source: salt://network/files/vm_interface.network.j2
+ - mode: '0644'
+ - user: root
+ - group: root
+ - template: jinja
+ - context:
+ name: {{ vm_interface }}
+{% endif %}
+
ifupdown:
pkg.purged
diff --git a/top.sls b/top.sls
index cb2d56b9800b293d01e6f98f0a0aa1382e7ae170..e5e6186700878709be9022d5818ac491c52eb9ee 100644
--- a/top.sls
+++ b/top.sls
@@ -153,6 +153,7 @@
- mesh-announce
- kernel
- kernel.sysctl
+ - network.systemd
'gw*.batman15.*.ffffm.net':
- bird
- bird.bgp