79 lines
2.6 KiB
Puppet
79 lines
2.6 KiB
Puppet
notice('MODULAR: calico/compute_alt_gateway.pp')
|
|
|
|
$network_scheme = hiera_hash('network_scheme')
|
|
prepare_network_config($network_scheme)
|
|
$network_metadata = hiera_hash('network_metadata', {})
|
|
|
|
# Initial constants
|
|
$plugin_name = 'fuel-plugin-calico'
|
|
$calico_mark = '0xCA'
|
|
|
|
$neutron_config = hiera_hash('neutron_config')
|
|
$private_net_name = try_get_value($neutron_config, 'default_private_net', 'admin_internal_net')
|
|
$neutron_networks = try_get_value($neutron_config, 'predefined_networks', {})
|
|
$private_net = try_get_value($neutron_networks, $private_net_name, {'L3'=>{}})
|
|
$subnet_cidr = pick($private_net['L3']['subnet'], '10.20.0.0/16')
|
|
|
|
$calico_alt_gateway_br = get_network_role_property('neutron/mesh','interface')
|
|
$calico_alt_gateway = try_get_value($network_scheme,"endpoints/${calico_alt_gateway_br}/vendor_specific/provider_gateway")
|
|
|
|
# Firewall initials
|
|
class { '::firewall':}
|
|
Class['::firewall'] -> Firewall<||>
|
|
Class['::firewall'] -> Firewallchain<||>
|
|
|
|
# iptables -t mangle -N calico-alt-gw-MARK
|
|
firewallchain { 'calico-alt-gw-MARK:mangle:IPv4':
|
|
ensure => present,
|
|
}->
|
|
# iptables -t mangle -A PREROUTING -i tap+ -j calico-alt-gw-MARK
|
|
firewall { '010 process traffic from VM instances to outside':
|
|
ensure => present,
|
|
table => 'mangle',
|
|
chain => 'PREROUTING',
|
|
iniface => 'tap+',
|
|
proto => 'all',
|
|
jump => 'calico-alt-gw-MARK',
|
|
} ->
|
|
#iptables -t mangle -A calico-alt-gw-MARK -d 192.168.111.0/24 -j RETURN
|
|
firewall { '011 skip internal traffic':
|
|
ensure => present,
|
|
table => 'mangle',
|
|
chain => 'calico-alt-gw-MARK',
|
|
destination => $subnet_cidr,
|
|
proto => 'all',
|
|
jump => 'RETURN',
|
|
} ->
|
|
#iptables -t mangle -A calico-alt-gw-MARK -j MARK --set-mark 0x222
|
|
firewall { '012 mark traffic from VM instances to outside':
|
|
ensure => present,
|
|
table => 'mangle',
|
|
chain => 'calico-alt-gw-MARK',
|
|
jump => 'MARK',
|
|
proto => 'all',
|
|
set_mark => $calico_mark
|
|
}
|
|
|
|
file { '/etc/init/calico-alt-gateway.conf':
|
|
ensure => present,
|
|
mode => '0644',
|
|
owner => 'root',
|
|
group => 'root',
|
|
content => template('calico/calico-alt-gateway.conf.erb'),
|
|
} ~>
|
|
service {'calico-alt-gateway':
|
|
ensure => running,
|
|
enable => true,
|
|
hasrestart => false,
|
|
}
|
|
|
|
# Without such settings source-routing works wrong. For more details
|
|
# read the https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
|
|
# Value '2' may be better, but Calico Felix agent is not compotible with '2'
|
|
sysctl::value {
|
|
'net.ipv4.conf.all.rp_filter': value => '0';
|
|
"net.ipv4.conf.${calico_alt_gateway_br}.rp_filter": value => '0';
|
|
}
|
|
|
|
# vim: set ts=2 sw=2 et :
|