gfwleak/solutions-tsg-scripts
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增加基础组件、rulescan、maat的自动部署

Browse Source
This commit is contained in:
Lu Qiuwen
2019-06-18 21:24:42 +08:00
commit 3cab0a9c99
20 changed files with 1103 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
roles/netcfg-control-blade/templates/tsg-environment.j2 Normal file
View File

@@ -0,0 +1,15 @@
# Device Name
TSG_PF_DEVICE=ens1
TSG_DEVICE_DATA_INCOMING=enp1s0
TSG_DEVICE_DATA_3RD=enp1s1
TSG_DEVICE_CTRL_MGR=ens1
TSG_DEVICE_CTRL_LOG=enp1s2
# Dataplane address
TSG_LOCAL_MAC_DATA_INCOMING=FB:00:00:00:00:B1
TSG_PEER_MAC_DATA_INCOMING=FA:00:00:00:00:AA
TSG_LOCAL_IP_DATA_INCOMING=172.16.241.2
TSG_PEER_IP_DATA_INCOMING=172.16.241.1
TSG_LOCAL_IP6_DATA_INCOMING=fd08::02
TSG_PEER_IP_DATA_INCOMING=fd08::02

38
roles/netcfg-control-blade/templates/tsg-netcfg-control-blade.service.j2 Normal file
View File

@@ -0,0 +1,38 @@
[Unit]
Description=Tango Secure Gateway - Control Blade Network Configuration
[Service]
EnvironmentFile=/etc/sysconfig/tsg-environment
Type=oneshot
# start vfs and set incoming mac address
ExecStartPre=/usr/bin/bash -c "echo 3 > /sys/class/net/${TSG_PF_DEVICE}/device/sriov_numvfs"
# dataincoming interface
ExecStartPre=/usr/sbin/ip link set ${TSG_DEVICE_DATA_INCOMING} address ${TSG_LOCAL_MAC_DATA_INCOMING}
ExecStartPre=/usr/sbin/ip link set ${TSG_DEVICE_DATA_INCOMING} up
ExecStartPre=/usr/sbin/ip addr flush dev ${TSG_DEVICE_DATA_INCOMING}
ExecStartPre=/usr/sbin/ip addr add ${TSG_LOCAL_IP_DATA_INCOMING}/30 dev ${TSG_DEVICE_DATA_INCOMING}
ExecStartPre=/usr/sbin/ip neigh replace ${TSG_PEER_IP_DATA_INCOMING} laddr ${TSG_PEER_MAC_DATA_INCOMING}
# policy route
ExecStartPre=/usr/sbin/ip rule add iif ${TSG_DEVICE_DATA_INCOMING} tab 100
ExecStartPre=/usr/sbin/ip route add local default dev lo table 100
ExecStartPre=/usr/sbin/ip rule add fwmark 0x65 lookup ${TSG_DEVICE_DATA_INCOMING} table 101
ExecStartPre=/usr/sbin/ip route add default dev ${TSG_DEVICE_DATA_INCOMING} via ${TSG_PEER_IP_DATA_INCOMING} table 101
# policy route v6
# all works are done in execstartpre, this is only a fake target
ExecStart=/bin/true
# stop, disable VFs
ExecStop=/usr/bin/bash -c "echo 0 > /sys/class/net/${TSG_PF_DEVICE}/device/sriov_numvfs"
ExecStop=/usr/sbin/ip link set ${TSG_DEVICE_DATA_INCOMING} down
# stop, remove ip rule and table
[Install]
WantedBy=multi-user.target