20.07.rc1

deploy.yml

@@ -8,12 +8,14 @@
 #    - tsg-env-mcn0
     - mrzcpd
     - sapp
+    - tsg_master
     - kni
     - firewall
     - http_healthcheck
     - clotho
     - certstore
     - cert-redis
+    - telegraf_statistic
 
 - hosts: blade-01
   roles:
@@ -44,6 +46,7 @@
     - mrzcpd
     - tsg-env-tun-mode
     - sapp
+    - tsg_master
     - kni
     - firewall
     - http_healthcheck
@@ -51,3 +54,5 @@
     - certstore
     - cert-redis
     - tfe
+    - telegraf_statistic
+    - proxy_status

install_config/group_vars/all.yml

@@ -1,5 +1,9 @@
-########################################
-tsg_access_type: 0
+#########################################
+#####0: Pcap; 1: Inline_device;  2: Allot;  3: ADC_Tun_mode;  4: ATCA;
+tsg_access_type: 4
+
+#####0: Tun_mode;  1: normal; 2: ADC;
+tsg_running_type: 1 
 
 ########################################
 maat_redis_server:
@@ -17,7 +21,7 @@ cert_store_server:
   port: 9991
 
 log_kafkabrokers:
-  address: "192.168.40.169:9092"
+  address: "1.1.1.1:9092,2.2.2.2:9092"
 
 log_minio:
   address: "192.168.40.168;"
@@ -31,7 +35,9 @@ fs_remote:
 ########################################
 sapp:
   worker_threads: 16
+  send_only_threads_max: 8
   bind_mask: 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16
+  inbound_route_dir: 1
 
 ########################################
 kni:
@@ -45,19 +51,15 @@ kni:
   send_logger:
     switch: 1
   tfe_nodes:
-    - tfe0:
-        enabled: 1
-    - tfe1:
-        enabled: 1
-    - tfe2:
-        enabled: 1
+    tfe0_enabled: 1
+    tfe1_enabled: 1
+    tfe2_enabled: 1
 
 ########################################
 tfe:
   nr_threads: 32
   mc_cache_eth: lo 
   keykeeper:
-    mode: "normal"
     no_cache: 0
 
 ########################################
@@ -67,21 +69,21 @@ mrzcpd:
 mrtunnat:
   lcore_id: 38
 
-########################################
-nic_mgr:
-  name: eth0
 nic_data_incoming:
-  name: tun_kni
-  address: 127.0.0.1
-nic_inner_ctrl:
-  name: eth0.100
-nic_traffic_mirror:
-  name: lo
-  use_mrzcpd: 0
+  ethname: enp1s0
+  vf0_name: enp1s2
+  vf1_name: enp1s2f1
+  vf2_name: enp1s2f2
 
-nic_transparent_mode:
-  enable: 1
-  mode: pcap
-  internel_interface: "eth2"
+VlanFlipping:
+  vlanID_1: 100
+  vlanID_2: 101
+  vlanID_3: 103
+  vlanID_4: 104
+########################################
+server:
+  ethname: eth0
+  tun_name: eth0.100
+  internal_interface: "eth2"
   external_interface: "eth3"
 

roles/certstore/tasks/main.yml

@@ -10,7 +10,7 @@
 - name: install certstore
   yum:
     name:
-      - /tmp/ansible_deploy/certstore-v20.04.3989072-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/certstore-v20.05.0f61dde-1.el7.centos.x86_64.rpm
     state: present
 
 - name: template certstore configure file

roles/certstore/templates/cert_store.ini.j2

@@ -15,7 +15,7 @@ expire_after = 30
 local_debug = 1
 ca_path = ./cert/tango-ca-v3-trust-ca.pem
 untrusted_ca_path = ./cert/mesalab-ca-untrust.pem
-[NTC_MAAT]
+[MAAT]
 #Configure the load mode,
 #0: using the configuration distribution network
 #1: using local json
@@ -43,3 +43,6 @@ port = 6379
 ip = {{ maat_redis_server.address }}
 port = {{ maat_redis_server.port }}
 dbindex =  {{ maat_redis_server.db }}
+[stat]
+statsd_server=192.168.100.1
+statsd_port=8126

roles/clotho/templates/clotho.conf.j2

@@ -2,6 +2,10 @@
 BROKER_LIST={{ log_kafkabrokers.address }}
 
 [SYSTEM]
+{% if tsg_running_type == 0 or 1 %}
+NIC_NAME={{ server.ethname }}
+{% else %}
 NIC_NAME={{ nic_mgr.name }}
+{% endif %}
 LOG_LEVEL=10
 LOG_PATH=log/clotho

roles/firewall/tasks/main.yml

@@ -8,21 +8,25 @@
   yum:
     name: "{{ fw_packages }}"
     state: present
+    skip_broken: yes
   vars:
     fw_packages:
-      - /tmp/ansible_deploy/dns-debug-1.0.0.-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/ftp-debug-1.0.2.1cddd55-1.el7.centos.x86_64.rpm
-      - /tmp/ansible_deploy/http-debug-1.0.0.-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/mail-debug-1.0.0.-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/ssl-debug-1.0.0.-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/tsg_conn_record-1.0.0.2155660-1.el7.centos.x86_64.rpm
-      - /tmp/ansible_deploy/fw_dns_plug-debug-1.0.3.ea8e0f6-1.el7.centos.x86_64.rpm
-      - /tmp/ansible_deploy/fw_ftp_plug-debug-1.0.1.a5c1e05-1.el7.centos.x86_64.rpm
-      - /tmp/ansible_deploy/fw_ssl_plug-1.0.0.-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_mail_plug-debug-1.0.0.-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/fw_http_plug-debug-1.0.0.-1.el7.x86_64.rpm
-      - /tmp/ansible_deploy/capture_packet_plug-debug-1.0.0.-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/capture_packet_plug-3.0.2.09f193c-2.el7.x86_64.rpm
       - /tmp/ansible_deploy/clotho-debug-1.0.0.-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/dns-2.0.6.d8317e9-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ftp-1.0.6.2710506-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_dns_plug-3.0.0.0a5d574-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ftp_plug-3.0.0.7a867ea-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_http_plug-3.0.0.1ca1c65-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_mail_plug-3.0.0.3b4e481-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_quic_plug-3.0.0.b06d39c-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/fw_ssl_plug-3.0.0.3a29c3f-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/http-2.0.3.9218b4b-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/mail-1.0.7.9e3be05-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/quic-1.1.6.d6755d8-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/ssl-1.0.3.e8482a4-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_record-1.0.0.2155660-1.el7.centos.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_conn_sketch-2.0.v2.0_alpha.af621ca-2.el7.x86_64.rpm
 
 - name: "Template the tsgconf/main.conf"
   template:

roles/firewall/templates/capture_packet_plug.conf.j2

@@ -15,7 +15,11 @@ INC_CFG_DIR=capture_packet_rule/inc/index/
 FULL_CFG_DIR=capture_packet_rule/full/index/
 
 [LOG]
+{% if tsg_running_type == 0 or 1 %}
+NIC_NAME={{ server.ethname }}
+{% else %}
 NIC_NAME={{ nic_mgr.name }}
+{% endif %}
 BROKER_LIST={{ log_kafkabrokers.address }}
 FIELD_FILE=conf/capture_packet_log_field.conf
 

roles/firewall/templates/maat.conf.j2

@@ -1,4 +1,5 @@
 [STATIC]
+###0:location 1:json 2:redis
 MAAT_MODE=2
 STAT_SWITCH=1
 PERF_SWITCH=1
@@ -14,6 +15,7 @@ INC_CFG_DIR=tsgrule/inc/index/
 FULL_CFG_DIR=tsgrule/full/index/
 
 [DYNAMIC]
+###0:location 1:json 2:redis
 MAAT_MODE=2
 STAT_SWITCH=1
 PERF_SWITCH=1

roles/firewall/templates/main.conf.j2

@@ -24,7 +24,11 @@ IP_ADDR_TABLE=TSG_SECURITY_ADDR
 
 [TSG_LOG]
 MODE=1
+{% if tsg_running_type == 0 or 1 %}
+NIC_NAME={{ server.ethname }}
+{% else %}
 NIC_NAME={{ nic_mgr.name }}
+{% endif %}
 MAX_SERVICE=1
 LOG_LEVEL=10
 LOG_PATH=./tsglog/tsglog
@@ -32,7 +36,7 @@ BROKER_LIST={{ log_kafkabrokers.address }}
 COMMON_FIELD_FILE=tsgconf/tsg_log_field.conf
 
 [STATISTIC]
-CYCLE=0
+CYCLE=1
 TELEGRAF_PORT=8100
 TELEGRAF_IP=127.0.0.1
 OUTPUT_PATH=./tsg_statistic.log

roles/framework/tasks/main.yml

@@ -7,9 +7,32 @@
   yum:
     name: "{{ packages }}"
     state: present
+    skip_broken: yes
   vars:
     packages:
-      - /tmp/ansible_deploy/framework-debug-2.0.17.1e678c4-1.el7.centos.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_field_stat-1.0.1.852c2df-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_field_stat2-2.9.0.16ecf3b-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_handle_logger-1.0.9.304259e-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_htable-3.10.11.6275308-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libMESA_prof_load-1.0.5.bf755de-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libWiredLB-2.0.3.c7d131b-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libcjson-1.7.8.542ad7f-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libdocumentanalyze-2.0.4.efdfc29-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libmaatframe-3.0.2.dc1fced-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librulescan-2.2.0.900d2b3-2.el7.x86_64.rpm
+      - /tmp/ansible_deploy/libwiredcfg-2.0.2.7ce1eea-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/lz4-1.7.5-3.el7.x86_64.rpm
+      - /tmp/ansible_deploy/librdkafka-0.11.4-1.el7.x86_64.rpm
+
+- name: "mkdir /etc/ld.so.conf.d/"
+  file:
+    path: /etc/ld.so.conf.d/
+    state: directory
+
+- name: "copy framework.conf to destination server"
+  copy:
+    src: "{{ role_path }}/files/framework.conf"
+    dest: /etc/ld.so.conf.d/
 
 - name: "update ld"
   command: ldconfig

roles/kernel-ml/files/grub

@@ -0,0 +1,8 @@
+GRUB_TIMEOUT=5
+GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
+GRUB_DEFAULT=saved
+GRUB_DISABLE_SUBMENU=true
+GRUB_TERMINAL="serial console"
+GRUB_SERIAL_COMMAND="serial --speed=115200"
+GRUB_CMDLINE_LINUX="crashkernel=auto console=ttyS0,115200 intel_iommu=on iommu=pt pci=realloc,assign-busses"
+GRUB_DISABLE_RECOVERY="true"

roles/kernel-ml/tasks/main.yml

@@ -17,6 +17,20 @@
   command: /usr/sbin/grub2-set-default 0
   when: t_kernel_ml.changed
 
+- name: "copy /etc/default/grub"
+  copy:
+    src: "{{ role_path }}/files/grub"
+    dest: "/etc/default"
+  when: 
+    - tsg_access_type == 4
+    - t_kernel_ml.changed
+
+- name: "grub2-mkconfig"
+  shell: grub2-mkconfig -o /boot/grub2/grub.cfg
+  when:
+    - tsg_access_type == 4
+    - t_kernel_ml.changed
+
 - name: "reboot"
   reboot:
   when: t_kernel_ml.changed

roles/kni/tasks/main.yml

@@ -7,7 +7,7 @@
 - name: "install kni rpms from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/kni-20.04-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/kni-20.07-1.el7.x86_64.rpm
     state: present
 
 - name: Template the kni.conf

roles/kni/templates/kni.conf.j2

@@ -2,8 +2,12 @@
 log_path = ./log/kni/kni.log
 log_level = {{ kni.global.log_level }}
 tfe_node_count = {{ kni.global.tfe_node_count }}
+{% if tsg_running_type == 0 or 1 %}
+manage_eth = {{ server.ethname }}
+{% else %}
 manage_eth = {{ nic_mgr.name }}
-{% if tsg_access_type == 0 %}
+{% endif %}
+{% if tsg_running_type == 0 %}
 deploy_mode = tun
 {% else %}
 deploy_mode = normal
@@ -11,31 +15,43 @@ deploy_mode = normal
 tun_name = tun_kni
 src_mac_addr = 00:0e:c6:d6:72:c1
 dst_mac_addr = fe:65:b7:03:50:bd
-{% if tsg_access_type == 0 %}
-{% else %}
+{% if tsg_access_type == 4 %}
 [tfe0]
 enabled = 1
+dev_eth_symbol = {{ nic_data_incoming.vf1_name }}
+ip_addr = 192.168.100.1
+{% elif tsg_running_type == 2 %}
+[tfe0]
+enabled = {{ kni.tfe_nodes.tfe0_enabled }}
 dev_eth_symbol = {{ nic_to_tfe.tfe0.name }}
 ip_addr = 192.168.100.2
 
 [tfe1]
-enabled = 1
+enabled = {{ kni.tfe_nodes.tfe1_enabled }}
 dev_eth_symbol = {{ nic_to_tfe.tfe1.name }}
 ip_addr = 192.168.100.3
 
 [tfe2]
-enabled = 1
+enabled = {{ kni.tfe_nodes.tfe2_enabled }}
 dev_eth_symbol = {{ nic_to_tfe.tfe2.name }}
 ip_addr = 192.168.100.4
 {% endif %}
 
 [tfe_cmsg_receiver]
+{% if tsg_running_type == 0 or 1%}
+listen_eth = {{ server.tun_name }}
+{% else %}
 listen_eth = {{ nic_inner_ctrl.name }}
+{% endif %}
 listen_port = 2475
 
 [watch_dog]
 switch = {{ kni.watch_dog.switch }}
+{% if tsg_running_type == 0 or 1 %}
+listen_eth = {{ server.tun_name }}
+{% else %}
 listen_eth = {{ nic_inner_ctrl.name }}
+{% endif %}
 listen_port = 2476
 keepalive_idle = 2
 keepalive_intvl = 1

roles/mrzcpd/tasks/main.yml

@@ -6,7 +6,7 @@
 
 - name: "install mrzcpd"
   yum:
-    name: /tmp/ansible_deploy/mrzcpd-4.3.18.f543325-1.el7.x86_64.rpm
+    name: /tmp/ansible_deploy/mrzcpd-4.3.25.d88306e-1.el7.x86_64.rpm
     state: present
 
 - name: "update sysconfig/mrzcpd"
@@ -20,6 +20,14 @@
     dest: /opt/mrzcpd/etc/mrglobal.conf
   when: nic_traffic_mirror is defined
 
+
+- name: "update mrglobal.conf.tun_mode - tun_server"
+  template:
+    src: "{{ role_path }}/templates/mrglobal.conf.tun_mode.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - tsg_access_type == 0
+
 - name: "update mrglobal.conf.inline - blade00"
   template:
     src: "{{ role_path }}/templates/mrglobal.conf.inline.j2"
@@ -36,6 +44,23 @@
     - nic_traffic_mirror is not defined
     - tsg_access_type == 2
 
+- name: "update mrglobal.conf.allot - blade00"
+  template:
+    src: "{{ role_path }}/templates/mrglobal.conf.adc_tun_mode.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 3
+
+
+- name: "update mrglobal.conf.ATCA_40G - blade00"
+  template:
+    src: "{{ role_path }}/templates/mrglobal.conf.ATCA_40G.j2"
+    dest: /opt/mrzcpd/etc/mrglobal.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 4   
+
 - name: "update mrtunnat.conf.inline - blade00"
   template:
     src: "{{ role_path }}/templates/mrtunnat.conf.inline.j2"
@@ -52,28 +77,50 @@
     - nic_traffic_mirror is not defined
     - tsg_access_type == 2
 
+- name: "update mrtunnat.conf.allot_access - blade00"
+  template:
+    src: "{{ role_path }}/templates/mrtunnat.conf.adc_tun_mode.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 3
+
+- name: "update mrtunnat.conf.ATCA_40G - blade00"
+  template:
+    src: "{{ role_path }}/templates/mrtunnat.conf.ATCA_40G.j2"
+    dest: /opt/mrzcpd/etc/mrtunnat.conf
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type == 4
+
 - name: "enable mrenv"
   systemd:
     name: mrenv
     enabled: yes
     daemon_reload: yes
+  when: 
+    - tsg_access_type != 0
 
 - name: "enable mrzcpd"
   systemd:
     name: mrzcpd
-    enabled: 1
+    enabled: yes
     daemon_reload: yes
+  when: 
+    - tsg_access_type != 0
 
 - name: "enable mrtunnat on master"
   systemd:
     name: mrtunnat
-    enabled: 1
+    enabled: yes
     daemon_reload: yes
-  when: nic_traffic_mirror is not defined
+  when: 
+    - nic_traffic_mirror is not defined
+    - tsg_access_type != 0
 
 - name: "disable mrtunnat on slave"
   systemd:
     name: mrtunnat
-    enabled: 0
+    enabled: no
     daemon_reload: yes
   when: nic_traffic_mirror is defined

roles/mrzcpd/templates/mrglobal.conf.ATCA_40G.j2

@@ -0,0 +1,59 @@
+[device]
+device={{nic_data_incoming.vf0_name}},{{ nic_data_incoming.vf1_name }},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=32
+
+[device:{{nic_data_incoming.vf0_name}}]
+mtu=4096
+clear_tx_flags=1
+vlan-filter=1
+vlan-strip=1
+vlan-id-allow={{ VlanFlipping.vlanID_1 }},{{ VlanFlipping.vlanID_2 }},{{ VlanFlipping.vlanID_3 }},{{ VlanFlipping.vlanID_4 }}
+vlan-pvid=0
+vlan-pvid-mode=2
+hw_strip_crc=1
+
+[device:{{ nic_data_incoming.vf1_name }}]
+mtu=4096
+clear_tx_flags=1
+vlan-filter=1
+vlan-strip=1
+vlan-id-allow=4095
+vlan-pvid=0
+vlan-pvid-mode=2
+hw_strip_crc=1
+sz_tunnel=8192
+sz_buffer=0
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=2
+hashmode=0
+idle_threshold=10000
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=6
+forward_rule_0=pv,{{nic_data_incoming.vf0_name}},{{nic_data_incoming.vf0_name}}
+forward_rule_1=vp,{{nic_data_incoming.vf0_name}},{{nic_data_incoming.vf0_name}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,{{ nic_data_incoming.vf1_name }},{{ nic_data_incoming.vf1_name }}
+forward_rule_5=vp,{{ nic_data_incoming.vf1_name }},{{ nic_data_incoming.vf1_name }}

roles/mrzcpd/templates/mrglobal.conf.adc_tun_mode.j2

@@ -0,0 +1,67 @@
+[device]
+device={{nic_data_incoming.name}},{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe2.name}},vxlan_user,vxlan_fwd
+sz_tunnel=8192
+sz_buffer=0
+
+[device:{{nic_data_incoming.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+vlan-filter=1
+vlan-id-allow=1000,1001,2000,2001,4000,4001
+#vlan-pvid=0
+#vlan-pvid-mode=0
+
+[device:{{nic_to_tfe.tfe0.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:{{nic_to_tfe.tfe1.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[device:{{nic_to_tfe.tfe2.name}}]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[service]
+# lcore id for i/o service, use comma to split
+iocore={{ mrzcpd.iocore }}
+distmode=2
+hashmode=0
+
+[eal]
+virtaddr=0x7f40c4a00000
+loglevel=7
+
+[keepalive]
+check_spinlock=0
+
+[ctrlzone]
+ctrlzone0=tunnat,64
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+
+[forward]
+nr_forward_rule=10
+forward_rule_0=pv,{{nic_data_incoming.name}},{{nic_data_incoming.name}}
+forward_rule_1=vp,{{nic_data_incoming.name}},{{nic_data_incoming.name}}
+forward_rule_2=vv,vxlan_fwd,vxlan_user
+forward_rule_3=vv,vxlan_user,vxlan_fwd
+forward_rule_4=pv,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}}
+forward_rule_5=vp,{{nic_to_tfe.tfe0.name}},{{nic_to_tfe.tfe0.name}}
+forward_rule_6=pv,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}}
+forward_rule_7=vp,{{nic_to_tfe.tfe1.name}},{{nic_to_tfe.tfe1.name}}
+forward_rule_8=pv,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}}
+forward_rule_9=vp,{{nic_to_tfe.tfe2.name}},{{nic_to_tfe.tfe2.name}}

roles/mrzcpd/templates/mrglobal.conf.inline.j2

@@ -4,29 +4,16 @@ sz_tunnel=8192
 sz_buffer=0
 
 [device:{{nic_data_incoming.name}}]
-{% if nic_data_incoming.ip is defined %}
 in_addr={{nic_data_incoming.ip}}
-{% endif %}
-{% if nic_data_incoming.mask is defined %}
 in_mask={{nic_data_incoming.mask}}
-{% endif %}
-{% if nic_data_incoming.gw is defined %}
 gateway={{nic_data_incoming.gw}}
-{% endif %}
 jumbo_frame=1
 max_rx_pkt_len=15360
 clear_tx_flags=1
-{% if nic_data_incoming.ip is defined %}
 #vlan-filter=1
-#vlan-id-allow=3811,3812,3813,3814,3821,3822,3823,3824,3831,3832,3833,3834,3841,3842,3843,3844
+#vlan-id-allow=1301,1302,2301,2302,1501,1502,2501,2502,1601,1602,2601,2602,1701,1702,2701,2702,1801,1802,2801,2802,1901,1902,2901,2902
 #vlan-pvid=0
 #vlan-pvid-mode=0
-{% else %}
-vlan-filter=0
-vlan-id-allow=3811,3812,3813,3814,3821,3822,3823,3824,3831,3832,3833,3834,3841,3842,3843,3844
-vlan-pvid=0
-vlan-pvid-mode=0
-{% endif %}
 
 [device:{{nic_to_tfe.tfe0.name}}]
 jumbo_frame=1

roles/mrzcpd/templates/mrglobal.conf.tun_mode.j2

@@ -0,0 +1,28 @@
+[device]
+device=fake
+sz_tunnel=8192
+sz_buffer=0
+
+[device:lo]
+jumbo_frame=1
+max_rx_pkt_len=15360
+clear_tx_flags=1
+promisc=1
+
+[service]
+iocore={{ mrzcpd.iocore }}
+
+[eal]
+virtaddr=0x7d0000000000
+loglevel=7
+
+[keepalive]
+check_spinlock=1
+
+[pool]
+create_mode=3
+sz_direct_pktmbuf=4194304
+sz_indirect_pktmbuf=8192
+sz_cache=256
+sz_data=4096
+

roles/mrzcpd/templates/mrtunnat.conf.ATCA_40G.j2

@@ -0,0 +1,24 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{nic_data_incoming.vf0_name}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_link_info_table=1
+use_tuple4_as_sskey=0
+ctrlzone_addr_info_type=2
+idle_threshold=10000
+
+[vlan_flipping]
+enable=1
+c_router_vlan_id_0={{ VlanFlipping.vlanID_1 }}
+i_router_vlan_id_0={{ VlanFlipping.vlanID_2 }}
+en_mac_flipping_0=0
+en_mac_flipping_0=0
+c_router_vlan_id_1={{ VlanFlipping.vlanID_3 }}
+i_router_vlan_id_1={{ VlanFlipping.vlanID_4 }}
+en_mac_flipping_1=0

roles/mrzcpd/templates/mrtunnat.conf.adc_tun_mode.j2

@@ -0,0 +1,24 @@
+[tunnat]
+lcore_id={{ mrtunnat.lcore_id }}
+appsym=tunnat
+phydev={{nic_data_incoming.name}}
+virtdev=vxlan_fwd
+nr_max_sessions=524280
+nr_slots=1048576
+expire_time=60
+reverse_tunnel=0
+use_recent_tunnel=0
+use_tuple4_as_sskey=1
+ctrlzone_addr_info_type=2
+
+[vlan_flipping]
+enable=1
+c_router_vlan_id_0=4000
+i_router_vlan_id_0=4001
+en_mac_flipping_0=0
+c_router_vlan_id_1=1000
+i_router_vlan_id_1=1001
+en_mac_flipping_1=0
+c_router_vlan_id_2=2000
+i_router_vlan_id_2=2001
+en_mac_flipping_2=0

roles/proxy_status/files/proxy-status.service

@@ -0,0 +1,11 @@
+[Unit]
+Description=proxy status
+
+[Service]
+ExecStart=/opt/proxy_status/proxy_start
+ExecStop=/opt/proxy_status/proxy_stop
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

roles/proxy_status/files/proxy_start

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+
+systemctl start tsg-env-tun-mode.service &>/dev/null &
+sleep 2
+systemctl start sapp.service &>/dev/null &
+sleep 5
+systemctl start tfe-env.service &>/dev/null &
+sleep 5
+systemctl start tfe.service &>/dev/null &
+systemctl start certstore.service &>/dev/null &
+systemctl start cert-redis.service &>/dev/null &

roles/proxy_status/files/proxy_status

@@ -0,0 +1,65 @@
+#!/bin/bash
+#
+
+systemctl status tsg-env-tun-mode &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m tsg-env-tun-mode is running \033[0m"
+else
+        echo -e "\033[31m tsg-env-tun-mode is down \033[0m"
+fi
+
+systemctl status mrzcpd &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m mrzcpd is running \033[0m"
+else
+        echo -e "\033[31m mrzcpd is down \033[0m"
+fi
+
+systemctl status mrenv &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m mrenv is running \033[0m"
+else
+        echo -e "\033[31m mrenv is down \033[0m"
+fi
+
+systemctl status mrtunnat &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m mrtunnat is running \033[0m"
+else
+        echo -e "\033[31m mrtunnat is down \033[0m"
+fi
+
+systemctl status sapp &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m sapp is running \033[0m"
+else
+        echo -e "\033[31m sapp is down \033[0m"
+fi
+
+systemctl status tfe-env &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m tfe-env is running \033[0m"
+else
+        echo -e "\033[31m tfe-env is down \033[0m"
+fi
+
+systemctl status tfe &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m tfe is running \033[0m"
+else
+        echo -e "\033[31m tfe is down \033[0m"
+fi
+
+systemctl status certstore &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m certstore is running \033[0m"
+else
+        echo -e "\033[31m certstore is down \033[0m"
+fi
+
+systemctl status cert-redis &>/dev/null
+if [ $? -eq 0 ];then
+	echo -e "\033[32m cert-redis is running \033[0m"
+else
+        echo -e "\033[31m cert-redis is down \033[0m"
+fi

roles/proxy_status/files/proxy_stop

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+
+systemctl stop tsg-env-tun-mode.service &>/dev/null &
+systemctl stop mrzcpd.service &>/dev/null &
+systemctl stop mrtunnat.service &>/dev/null &
+systemctl stop sapp.service &>/dev/null &
+systemctl stop tfe-env.service &>/dev/null &
+systemctl stop tfe.service &>/dev/null &
+systemctl stop certstore.service &>/dev/null &
+systemctl stop cert-redis.service &>/dev/null &
+

roles/proxy_status/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: "create /opt/proxy_status"
+  file:
+    path: /opt/proxy_status
+    state: directory
+
+- name: "copy files"
+  copy:
+    src: "{{ role_path }}/files/" 
+    dest: /opt/proxy_status
+    mode: 0755
+
+- name: "copy proxy-status.service"
+  copy:
+    src: "{{ role_path }}/files/proxy-status.service"
+    dest: "/usr/lib/systemd/system/"   
+    mode: 0755  
+
+- name: "enable proxy-status"
+  systemd:
+    name: proxy-status
+    enabled: yes
+    daemon_reload: yes
+

roles/sapp/tasks/main.yml

@@ -7,20 +7,11 @@
 - name: "install sapp rpms from localhost"
   yum:
     name:
-    #  - /tmp/ansible_deploy/sapp-4.0.11.347f7b7-x86_64.rpm
-      - /tmp/ansible_deploy/tsg_master-debug-1.0.0.-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/sapp-4.0.18.bb2effd-x86_64...rpm
     state: present
+    skip_broken: yes
 
-- name: "judge sapp"
-  shell: rpm -qa |grep sapp
-  register: return
-  ignore_errors: true
-
-- name: "install sapp rpms from localhost"
-  shell: cd /tmp/ansible_deploy;rpm -ivh sapp-4.0.8.fb5bce9-1.el7.x86_64.rpm
-  when: return.rc != 0
-
-- name: make dir
+- name: "mkdir tsgconf"
   file:
     path: /home/mesasoft/sapp_run/tsgconf
     state: directory
@@ -49,6 +40,13 @@
     dest: /home/mesasoft/sapp_run/etc/gdev.conf
   when: tsg_access_type == 1
   
+
+- name: "copy sapp.service destination server"
+  copy:
+    src: "{{ role_path }}/files/sapp.service"
+    dest: /usr/lib/systemd/system/
+    mode: 0755
+
 - name: "enable sapp"
   systemd:
     name: sapp

roles/sapp/templates/conflist.inf.j2

@@ -25,5 +25,7 @@
 ./plug/business/fw_dns_plug/fw_dns_plug.inf
 ./plug/business/fw_mail_plug/fw_mail_plug.inf
 ./plug/business/fw_ftp_plug/fw_ftp_plug.inf
+./plug/business/fw_quic_plug/fw_quic_plug.inf
 ./plug/business/tsg_conn_record/tsg_conn_record.inf
+./plug/business/tsg_conn_sketch/tsg_conn_sketch.inf
 ./plug/business/capture_packet_plug/capture_packet_plug.inf

roles/sapp/templates/sapp.toml.j2

@@ -14,6 +14,9 @@ worker_threads=1
 {% else %}
 worker_threads={{ sapp.worker_threads }}
 {% endif %}
+{% if tsg_access_type == 4 %}
+send_only_threads_max={{ sapp.send_only_threads_max }}
+{% endif %}
 ### note, bind_mask, if you do not want to bind thread to special CPU core, keep it empty as []
 {% if tsg_access_type == 0 %}
 bind_mask=[]
@@ -22,12 +25,19 @@ bind_mask=[{{ sapp.bind_mask }}]
 {% endif %}
 
 [PACKET_IO]
+{% if tsg_access_type == 4 %}
+### note, used to represent inbound or outbound direction value,
+##### because it comes from other device, so it needs to be specified manually,
+##### if inbound_route_dir=1, then outbound_route_dir=0, vice versa,
+##### in other words, outbound_route_dir = 1 ^ inbound_route_dir;
+inbound_route_dir={{ sapp.inbound_route_dir }}
+{% endif %}
 ### note, BSD_packet_filter, if you do not want to set any filter rule, keep it empty as ""
 BSD_packet_filter=""
    
 ### note, depolyment.mode options: [mirror, inline, transparent]
     [packet_io.depolyment]
-    {% if nic_transparent_mode.enable == 1 %}
+    {% if tsg_access_type == 0 %}
     mode=transparent
     {% else %}
     mode=inline
@@ -35,18 +45,18 @@ BSD_packet_filter=""
 
 ### note, interface.type options: [pag,pcap,marsio]
     [packet_io.internal.interface]
-    {% if nic_transparent_mode.enable == 1 %}
-    type={{nic_transparent_mode.mode}}
-    name={{nic_transparent_mode.internel_interface}}
+    {% if tsg_access_type == 0 %}
+    type=pcap
+    name={{server.internal_interface}}
     {% else %}
     type=marsio
     name=vxlan_user
     {% endif %}
 
     [packet_io.external.interface]
-    {% if nic_transparent_mode.enable %}
-    type={{nic_transparent_mode.mode}}
-    name={{nic_transparent_mode.external_interface}}
+    {% if tsg_access_type == 0 %}
+    type=pcap
+    name={{server.external_interface}}
     {% else %}
     type=pcap
     name=lo

roles/telegraf_statistic/files/telegraf_statistic.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Statistic information
+Documentation=https://github.com/influxdata/telegraf
+After=network.target
+
+[Service]
+EnvironmentFile=-/etc/default/telegraf
+User=telegraf
+ExecStart=/usr/bin/telegraf -config /etc/telegraf/telegraf_statistic.conf -config-directory /etc/telegraf/telegraf_statistic.d $TELEGRAF_OPTS
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+RestartForceExitStatus=SIGPIPE
+KillMode=control-group
+
+[Install]
+WantedBy=multi-user.target

roles/telegraf_statistic/tasks/main.yml

@@ -0,0 +1,28 @@
+- name: "copy telegraf.rpm to destination server"
+  copy:
+    src: "{{ role_path }}/files/telegraf-1.13.0-1.x86_64.rpm"
+    dest: /tmp
+
+- name: "install telegraf"
+  yum:
+    name:
+      - /tmp/telegraf-1.13.0-1.x86_64.rpm
+    state: present
+
+- name: "Templates telegraf.conf"
+  template:
+    src: "{{role_path}}/templates/telegraf_statistic.conf.j2"
+    dest: /etc/telegraf/telegraf_statistic.conf
+  tags: template
+
+- name: "copy telegraf_statistic.service to destination server"
+  copy:
+    src: "{{ role_path }}/files/telegraf_statistic.service"
+    dest: /usr/lib/systemd/system
+    mode: 0755
+
+- name: "Start telegraf"
+  systemd:
+    name: telegraf_statistic.service
+    state: started
+    enabled: yes

roles/telegraf_statistic/templates/telegraf_statistic.conf.j2

@@ -0,0 +1,29 @@
+[global_tags]
+[agent]
+  interval = "30s"
+  round_interval = true
+  metric_batch_size = 1000
+  metric_buffer_limit = 10000
+  collection_jitter = "0s"
+  flush_interval = "10s"
+  flush_jitter = "0s"
+  precision = ""
+  debug = false
+  quiet = false
+  logfile = ""
+  hostname = ""
+  omit_hostname = false
+ [[outputs.file]]
+    files = ["stdout", "/tmp/metrics.out"]
+       data_format = "json"
+ [[outputs.kafka]]
+   brokers = ["192.168.40.186:9092"]
+   topic = "TRAFFIC-METRICS-LOG"
+    data_format = "json"
+ [[outputs.prometheus_client]]
+   listen = ":9273"
+    path = "/metrics"
+ [[inputs.tcp_listener]]
+ [[inputs.udp_listener]]
+ServiceAddress= ":8100"
+data_format = "influx"

roles/tfe/files/tfe.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Tango Frontend Engine
+Requires=tfe-env.service
+After=tfe-env.service
+
+
+[Service]
+Type=notify
+ExecStart=/opt/tsg/tfe/bin/tfe
+WorkingDirectory=/opt/tsg/tfe/
+TimeoutSec=3600s
+RestartSec=10s
+Restart=always
+LimitNOFILE=524288
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+Delegate=yes
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target

roles/tfe/tasks/main.yml

@@ -4,11 +4,17 @@
     src: "{{ role_path }}/files/"
     dest: /tmp/ansible_deploy/
 
+- name: "copy tfe.service to destination server"
+  copy:
+    src: "{{ role_path }}/files/tfe.service"
+    dest: /usr/lib/systemd/system/
+    mode: 0755
+ 
 - name: "install tfe rpms from localhost"
   yum:
     name:
       - /tmp/ansible_deploy/tfe-kmod-v1.0.5.20200408-1dkms.noarch.rpm
-      - /tmp/ansible_deploy/tfe-4.3.1.202004291711100800.374930d-1.el7.x86_64.rpm
+      - /tmp/ansible_deploy/tfe-4.3.7.39bff00-1.el7.x86_64.rpm
     state: present
 
 - name: "template tfe-env config"
@@ -31,6 +37,16 @@
     src: "{{ role_path }}/templates/pangu_pxy.conf.j2"
     dest: /opt/tsg/tfe/conf/pangu/pangu_pxy.conf
 
+- name: "create conf/doh/"
+  file:
+    path: /opt/tsg/tfe/conf/doh/ 
+    state: directory
+
+- name: "template the doh.conf"
+  template:
+    src: "{{ role_path }}/templates/doh.conf.j2"
+    dest: /opt/tsg/tfe/conf/doh/doh.conf
+
 - name: "create a override conf - first step, create dir"
   file:
     path: /etc/systemd/system/tfe.service.d/

roles/tfe/templates/doh.conf.j2

@@ -0,0 +1,26 @@
+[doh]
+# default 1
+enable=1
+
+[log]
+# default 10
+# RLOG_LV_DEBUG : 10
+# RLOG_LV_INFO  : 20
+# RLOG_LV_FATAL : 30
+log_level=10
+
+[maat]
+# default TSG_OBJ_APP_ID
+table_appid=TSG_OBJ_APP_ID
+# default TSG_SECURITY_ADDR
+table_addr=TSG_SECURITY_ADDR
+# default TSG_FIELD_DOH_QNAME
+table_qname=TSG_FIELD_DOH_QNAME
+# default TSG_FIELD_HTTP_HOST
+table_host=TSG_FIELD_DOH_HOST
+
+[kafka]
+# default 0
+ENTRANCE_ID=0
+# default 1
+en_sendlog=1

roles/tfe/templates/pangu_pxy.conf.j2

@@ -1,11 +1,8 @@
 [debug]
-log_level=30
+log_level=10
 
 [log]
-nic_name= {{ nic_mgr.name }}
 entrance_id=0
-kafka_brokerlist= {{ log_kafkabrokers.address }}
-kafka_topic=PROXY-EVENT-LOG
 
 #Addresses of minio. Format is defined by WiredLB.
 #minio_ip_list=192.168.10.61-64;
@@ -53,28 +50,13 @@ log_fsstat_interval=10
 log_fsstat_trig=1
 log_fsstat_dst_ip=10.4.20.202
 log_fsstat_dst_port=8125
-[maat]
-# 0:json 1: redis 2: iris
-maat_input_mode=1
-table_info=resource/pangu/table_info.conf
-json_cfg_file=resource/pangu/pangu_http.json
-stat_file=log/pangu_scan.status
-full_cfg_dir=pangu_policy/full/index/
-inc_cfg_dir=pangu_policy/inc/index/
 
-maat_redis_server={{ maat_redis_server.address }}
-maat_redis_port_range={{ maat_redis_server.port }}
-maat_redis_db_index={{ maat_redis_server.db }}
-effect_interval_s=1
-#accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
-
-[dynamic_maat]
-maat_input_mode=1
-table_info=resource/pangu/dynamic_maat_table_info.conf
-maat_redis_server={{ dynamic_maat_redis_server.address }}
-maat_redis_port_range={{ dynamic_maat_redis_server.port }}
-maat_redis_db_index={{ dynamic_maat_redis_server.db }}
-effect_interval_s=1
+[ratelimit]
+enable=0
+token_name=ratelimit
+redis_server={{ maat_redis_server.address }}
+redis_port={{ maat_redis_server.port }}
+redis_db_index=6
 
 [tango_cache]
 enable_cache=0
@@ -107,8 +89,8 @@ wiredlb_group=TangoCache
 
 cache_undefined_obj=1
 query_undefined_obj=0
-statsd_server={{fs_remote.address}}
-statsd_port={{fs_remote.port}}
+statsd_server=192.168.10.72
+statsd_port=8126
 histogram_bins=0.20,0.40,0.6,0.8
 
 log_fsstat_appname=tango_cache
@@ -122,3 +104,4 @@ log_fsstat_dst_port=8125
 [traffic_mirror]
 table_info=resource/pangu/table_info_traffic_mirror.conf
 stat_file=log/traffic_mirror.status
+

roles/tfe/templates/tfe-env-config.j2

@@ -1,11 +1,20 @@
-
+{% if tsg_access_type == 4 %}
+TFE_DEVICE_DATA_INCOMING={ nic_data_incoming.vf2_name }}
+{% elif tsg_running_type == 0 %}
+TFE_DEVICE_DATA_INCOMING=tun_kni
+{% else %}
 TFE_DEVICE_DATA_INCOMING={{ nic_data_incoming.name }}
+{% endif %}
 TFE_LOCAL_MAC_DATA_INCOMING=fe:65:b7:03:50:bd
+{% if tsg_access_type == 4 %}
+TFE_PEER_MAC_DATA_INCOMING=00:0e:c6:d6:72:c1
+{% else %}
 TFE_PEER_MAC_DATA_INCOMING=aa:bb:cc:dd:ee:ff
+{% endif %}
 TFE_LOCAL_IP_DATA_INCOMING=172.16.241.2
 TFE_PEER_IP_DATA_INCOMING=172.16.241.1
 
-{% if tsg_access_type == 0 %}
-TFE_WATCHDOG_DEVICE={{ nic_inner_ctrl.name }}
+{% if tsg_running_type == 0 or 1 %}
+TFE_WATCHDOG_DEVICE={{ server.tun_name }}
 TFE_WATCHDOG_IP=192.168.100.1
 {% endif %}

roles/tfe/templates/tfe.conf.j2

@@ -1,13 +1,15 @@
 [system]
 nr_worker_threads={{ tfe.nr_threads }}
-enable_breakpad=1
+enable_breakpad=0
 enable_breakpad_upload=0
 breakpad_minidump_dir=/run/tfe/crashreport/
 breakpad_upload_url=http://127.0.0.1:9000/
+disable_coredump=0
+
 
 [kni]
 ip=192.168.100.1
-scm_port=2475
+cmsg_port=2475
 watchdog_switch=1
 watchdog_port=2476
 
@@ -30,7 +32,11 @@ service_cache_expire_seconds=600
 # default 0
 mc_cache_enable=1
 # default eth0
+{% if tsg_running_type == 0 or 1 %}
+mc_cache_eth={{ server.tun_name }}
+{% else %}
 mc_cache_eth={{ nic_inner_ctrl.name }}
+{% endif %}
 # default NULL
 mc_cache_broker_list={{ log_kafkabrokers.address }}
 # default PXY-EXCH-INTERMEDIA-CERT
@@ -39,18 +45,25 @@ mc_cache_topic=PXY-EXCH-INTERMEDIA-CERT
 [key_keeper]
 #Mode: debug - generate cert with ca_path, normal - generate cert with cert store
 #0 on cache 1 off cache
-mode= {{ tfe.keykeeper.mode }}
+mode= normal
 no_cache=0
 cert_store_host= {{ cert_store_server.address }}
 cert_store_port= {{ cert_store_server.port }}
 ca_path=resource/tfe/tango-ca-v3-trust-ca.pem
 untrusted_ca_path=resource/tfe/tango-ca-v3-untrust-ca.pem
+# health_check only for "mode=normal"
+# default 1
+enable_health_check=1
 
 [debug]
 passthrough_all_tcp=0
 
 [traffic_mirror]
+{% if tsg_running_type == 0 or 1 %}
+device=lo
+{% else %}
 device={{ nic_traffic_mirror.name }}
+{% endif %}
 type=0
 
 [ratelimit]
@@ -69,11 +82,49 @@ tcp_ttl_upstream=75
 tcp_ttl_downstream=70
 
 [log]
-level=30
+level=10
 
 [stat]
 statsd_server={{ fs_remote.address }}
 statsd_port={{ fs_remote.port }}
+statsd_cycle=5
+# FS_OUTPUT_STATSD=1, FS_OUTPUT_INFLUX_LINE=2
+statsd_format=2
 
 [http]
-loglevel=30
+loglevel=10
+
+[kafka]
+enable=1
+{% if tsg_running_type == 0 or 1 %}
+nic_name={{ server.ethname }}
+{% else %}
+nic_name={{ nic_mgr.name }}
+{% endif %}
+kafka_brokerlist={{ log_kafkabrokers.address }}
+kafka_topic=PROXY-EVENT-LOG
+device_id_filepath=/opt/tsg/etc/tsg_sn.json
+
+[maat]
+# 0:json 1: redis 2: iris
+maat_input_mode=1
+table_info=resource/pangu/table_info.conf
+json_cfg_file=resource/pangu/pangu_http.json
+stat_file=log/pangu_scan.status
+full_cfg_dir=pangu_policy/full/index/
+inc_cfg_dir=pangu_policy/inc/index/
+
+maat_redis_server={{ maat_redis_server.address }}
+maat_redis_port_range={{ maat_redis_server.port }}
+maat_redis_db_index={{ maat_redis_server.db }}
+effect_interval_s=1
+#accept_tags={"tags":[{"tag":"location","value":"Astana"}]}
+
+[dynamic_maat]
+maat_input_mode=1
+table_info=resource/pangu/dynamic_maat_table_info.conf
+maat_redis_server={{ dynamic_maat_redis_server.address }}
+maat_redis_port_range={{ dynamic_maat_redis_server.port }}
+maat_redis_db_index={{ dynamic_maat_redis_server.db }}
+effect_interval_s=1
+

roles/tsg-env-tun-mode/templates/setup.j2

@@ -1,11 +1,27 @@
 #!/bin/bash
 modprobe 8021q
-vconfig add {{ nic_mgr.name }} 100
-vconfig set_flag {{ nic_mgr.name }}.100 1 1
-ifconfig {{ nic_mgr.name }}.100 192.168.100.1 netmask 255.255.255.0 up
-ethtool -K {{ nic_transparent_mode.internel_interface }} tso off
-ethtool -K {{ nic_transparent_mode.internel_interface }} gso off
-ethtool -K {{ nic_transparent_mode.internel_interface }} gro off
-ethtool -K {{ nic_transparent_mode.externel_interface }} tso off
-ethtool -K {{ nic_transparent_mode.externel_interface }} gso off
-ethtool -K {{ nic_transparent_mode.externel_interface }} gro off
+vconfig add {{ server.ethname }} 100
+vconfig set_flag {{ server.ethname }}.100 1 1
+ifconfig {{ server.ethname }}.100 192.168.100.1 netmask 255.255.255.0 up
+{% if tsg_access_type == 0 %}
+ethtool -K {{ server.internal_interface }} tso off
+ethtool -K {{ server.internal_interface }} gso off
+ethtool -K {{ server.internal_interface }} gro off
+ethtool -K {{ server.external_interface }} tso off
+ethtool -K {{ server.external_interface }} gso off
+ethtool -K {{ server.external_interface }} gro off
+{% elif tsg_access_type == 4 %}
+echo 3 > /sys/class/net/{{ nic_data_incoming.ethname }}/device/sriov_numvfs
+ip link set {{ nic_data_incoming.ethname }} vf 1 vlan 4095
+ip link set {{ nic_data_incoming.ethname }} vf 2 vlan 4095
+ip link set {{ nic_data_incoming.ethname }} vf 0 trust on
+ip link set {{ nic_data_incoming.ethname }} vf 1 trust on
+ip link set {{ nic_data_incoming.ethname }} vf 2 trust on
+ip link set {{ nic_data_incoming.ethname }} vf 1 mac 00:0e:c6:d6:72:c1
+ip link set {{ nic_data_incoming.ethname }} vf 2 mac fe:65:b7:03:50:bd
+ip link set {{ nic_data_incoming.ethname }} vf 0 spoofchk off
+ip link set {{ nic_data_incoming.vf0_name }} up
+ip link set {{ nic_data_incoming.vf1_name }} up
+ip link set {{ nic_data_incoming.vf2_name }} up
+{% endif %}
+

roles/tsg-env-tun-mode/templates/tsg-env_stop.j2

@@ -1,5 +1,8 @@
 #!/bin/bash
 #
-echo 0 >/sys/class/net/ens1/device/sriov_numvfs
-ifconfig {{ nic_mgr.name }}.100 down
-vconfig rem {{ nic_mgr.name }}.100
+echo 0 >/sys/class/net/{{ server.ethname }}/device/sriov_numvfs
+ifconfig {{ server.ethname }}.100 down
+vconfig rem {{ server.ethname }}.100
+{% if tsg_access_type == 4 %}
+echo 0 >/sys/class/net/{{ nic_data_incoming.ethname }}/device/sriov_numvfs
+{% endif %}

roles/tsg_master/tasks/main.yml

@@ -6,5 +6,6 @@
 - name: "install tsg_master from localhost"
   yum:
     name:
-      - /tmp/ansible_deploy/tsg_master-debug-1.0.3.a4e2a7c-1.el7.centos.x86_64.rpm
+      - /tmp/ansible_deploy/tsg_master-3.0.3.3c9cf15-2.el7.x86_64.rpm
     state: present
+    skip_broken: yes