diff --git a/ansible/filter_plugins/networks.py b/ansible/filter_plugins/networks.py index 27f8787c9..e48ee432e 100644 --- a/ansible/filter_plugins/networks.py +++ b/ansible/filter_plugins/networks.py @@ -125,6 +125,7 @@ def net_vlan(context, name, inventory_hostname=None): net_mtu = _make_attr_filter('mtu') net_routes = _make_attr_filter('routes') +net_rules = _make_attr_filter('rules') net_physical_network = _make_attr_filter('physical_network') @@ -154,14 +155,21 @@ def _route_obj(route): The returned dict is compatible with the route item of the interfaces_ether_interfaces and interfaces_bridge_interfaces variables in - the MichaelRigaert.interfaces role. + the MichaelRigart.interfaces role. """ net = netaddr.IPNetwork(route['cidr']) - return { + route_obj = { 'network': str(net.network), 'netmask': str(net.netmask), - 'gateway': route['gateway'], } + optional = { + 'gateway', + 'table', + } + for option in optional: + if option in route: + route_obj[option] = route[option] + return route_obj @jinja2.contextfilter @@ -187,6 +195,7 @@ def net_interface_obj(context, name, inventory_hostname=None): routes = net_routes(context, name, inventory_hostname) if routes: routes = [_route_obj(route) for route in routes] + rules = net_rules(context, name, inventory_hostname) interface = { 'device': device, 'address': ip, @@ -195,6 +204,7 @@ def net_interface_obj(context, name, inventory_hostname=None): 'vlan': vlan, 'mtu': mtu, 'route': routes, + 'rules': rules, 'bootproto': 'static', 'onboot': 'yes', } @@ -226,6 +236,7 @@ def net_bridge_obj(context, name, inventory_hostname=None): routes = net_routes(context, name, inventory_hostname) if routes: routes = [_route_obj(route) for route in routes] + rules = net_rules(context, name, inventory_hostname) interface = { 'device': device, 'address': ip, @@ -235,6 +246,7 @@ def net_bridge_obj(context, name, inventory_hostname=None): 'mtu': mtu, 'ports': ports, 'route': routes, + 'rules': rules, 'bootproto': 'static', 'onboot': 'yes', } @@ -268,6 +280,7 @@ def net_bond_obj(context, name, inventory_hostname=None): routes = net_routes(context, name, inventory_hostname) if routes: routes = [_route_obj(route) for route in routes] + rules = net_rules(context, name, inventory_hostname) interface = { 'device': device, 'address': ip, @@ -279,6 +292,7 @@ def net_bond_obj(context, name, inventory_hostname=None): 'bond_mode': mode, 'bond_miimon': miimon, 'route': routes, + 'rules': rules, 'bootproto': 'static', 'onboot': 'yes', } @@ -429,6 +443,7 @@ class FilterModule(object): 'net_vlan': net_vlan, 'net_mtu': net_mtu, 'net_routes': net_routes, + 'net_rules': net_rules, 'net_physical_network': net_physical_network, 'net_interface_obj': net_interface_obj, 'net_bridge_obj': net_bridge_obj, diff --git a/ansible/group_vars/all/network b/ansible/group_vars/all/network index c90bf29e4..1d9caa53a 100644 --- a/ansible/group_vars/all/network +++ b/ansible/group_vars/all/network @@ -54,3 +54,10 @@ network_patch_suffix_phy: '-phy' # Suffix for virtual patch link interface names when connected towards the # OVS bridge. network_patch_suffix_ovs: '-ovs' + +############################################################################### +# Network routing table configuration. + +# List of IP routing tables. Each item should be a dict containing 'id' and +# 'name' items. These tables will be added to /etc/iproute2/rt_tables. +network_route_tables: [] diff --git a/ansible/network.yml b/ansible/network.yml index 146045103..e5115f55e 100644 --- a/ansible/network.yml +++ b/ansible/network.yml @@ -52,6 +52,7 @@ become: True - role: MichaelRigart.interfaces + interfaces_route_tables: "{{ network_route_tables }}" interfaces_ether_interfaces: > {{ ether_interfaces | map('net_interface_obj') | diff --git a/doc/source/configuration/network.rst b/doc/source/configuration/network.rst index 604c7bf5e..1f7c490c9 100644 --- a/doc/source/configuration/network.rst +++ b/doc/source/configuration/network.rst @@ -41,8 +41,13 @@ supported: Maximum Transmission Unit (MTU). ``routes`` List of static IP routes. Each item should be a dict containing the - items ``cidr`` and ``gateway``. ``cidr`` is the CIDR representation of the - route's destination. ``gateway`` is the IP address of the next hop. + item ``cidr``, and optionally ``gateway`` and ``table``. ``cidr`` is the CIDR + representation of the route's destination. ``gateway`` is the IP address of + the next hop. ``table`` is the name or ID of a routing table to which the + route will be added. +``rules`` + List of IP routing rules. Each item should be an ``iproute2`` IP routing + rule. ``physical_network`` Name of the physical network on which this network exists. This aligns with the physical network concept in neutron. @@ -86,7 +91,8 @@ Configuring Static IP Routes Static IP routes may be configured by setting the ``routes`` attribute for a network to a list of routes. -To configure a network called ``example`` with a single IP route: +To configure a network called ``example`` with a single IP route to the +``10.1.0.0/24`` subnet via ``10.0.0.1``: .. code-block:: yaml :caption: ``networks.yml`` @@ -155,6 +161,71 @@ addresses for hosts ``host1`` and ``host2``: host1: 10.0.0.1 host2: 10.0.0.2 +Advanced: Policy-Based Routing +------------------------------ + +Policy-based routing can be useful in complex networking environments, +particularly where asymmetric routes exist, and strict reverse path filtering +is enabled. + +Configuring IP Routing Tables +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Custom IP routing tables may be configured by setting the global variable +``network_route_tables`` in ``${KAYOBE_CONFIG_PATH}/networks.yml`` to a list of +route tables. These route tables will be added to ``/etc/iproute2/rt_tables``. + +To configure a routing table called ``exampleroutetable`` with ID ``1``: + +.. code-block:: yaml + :caption: ``networks.yml`` + + network_route_tables: + - name: exampleroutetable + id: 1 + +To configure route tables on specific hosts, use a host or group variables +file. + +Configuring IP Routing Policy Rules +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +IP routing policy rules may be configured by setting the ``rules`` attribute +for a network to a list of rules. The format of a rule is the string which +would be appended to ``ip rule `` to create or delete the rule. + +To configure a network called ``example`` with an IP routing policy rule to +handle traffic from the subnet ``10.1.0.0/24`` using the routing table +``exampleroutetable``: + +.. code-block:: yaml + :caption: ``networks.yml`` + + example_rules: + - from 10.1.0.0/24 table exampleroutetable + +These rules will be configured on all hosts to which the network is mapped. + +Configuring IP Routes on Specific Tables +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +A route may be added to a specific routing table by adding the name or ID of +the table to a ``table`` attribute of the route: + +To configure a network called ``example`` with a default route and a +'connected' (local subnet) route to the subnet ``10.1.0.0/24`` on the table +``exampleroutetable``: + +.. code-block:: yaml + :caption: ``networks.yml`` + + example_routes: + - cidr: 0.0.0.0/0 + gateway 10.1.0.1 + table: exampleroutetable + - cidr: 10.1.0.0/24 + table: exampleroutetable + Per-host Network Configuration ============================== diff --git a/etc/kayobe/networks.yml b/etc/kayobe/networks.yml index 0d43d5ec0..cc5ec3bb9 100644 --- a/etc/kayobe/networks.yml +++ b/etc/kayobe/networks.yml @@ -150,6 +150,13 @@ # OVS bridge. #network_patch_suffix_ovs: +############################################################################### +# Network routing table configuration. + +# List of IP routing tables. Each item should be a dict containing 'id' and +# 'name' items. These tables will be added to /etc/iproute2/rt_tables. +#network_route_tables: + ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes