support for subnets that are not auto-routed

samsk · Sep 6, 2017 · 9d52703 · 9d52703
1 parent 521bb38
commit 9d52703
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 10 deletions.
diff --git a/roles/tinc-common/defaults/main.yaml b/roles/tinc-common/defaults/main.yaml
@@ -17,7 +17,7 @@ tinc_hostname: '{{ inventory_hostname }}'
 tinc_port: 655
 tinc_indirect: 'no'
 tinc_compression: 10
-
+tinc_mode: 'router'
 
 # os defaults
 os_family:

diff --git a/roles/tinc-common/vars/os_default.yml b/roles/tinc-common/vars/os_default.yml
@@ -1,4 +1,4 @@
 ---
 
-os_shell: '/bin/sh'
+os_shell: '/bin/bash'
 tincd_service: tincd
diff --git a/roles/tinc-config/templates/common.sh.j2 b/roles/tinc-config/templates/common.sh.j2
@@ -25,3 +25,23 @@ export VPN_IPADDR_{{ host | to_tinc_host }}
 ## current neigh
 VPN_IPADDR_NODE=`eval echo "\\$VPN_IPADDR_$NODE"`
 export VPN_IPADDR_NODE
+
+## hidden subnets
+function subnet_hidden() {
+	case "$1" in
+{% if tinc_subnet_hidden is defined %}
+{% if tinc_subnet_hidden is not string and tinc_subnet_hidden is iterable %}
+{% for subnet in tinc_subnet_hidden %}
+		"{{ subnet }}" ) return 0;
+				;;
+{% endfor %}
+{% else %}
+		"{{ tinc_subnet_hidden }}" ) return 0;
+				;;
+{% endif %}
+{% endif %}
+		* ) return 1;
+				;;
+	esac;
+	return 1;
+}
diff --git a/roles/tinc-config/templates/host.conf.j2 b/roles/tinc-config/templates/host.conf.j2
@@ -12,8 +12,9 @@ IndirectData = {{ hostvars[inventory_hostname]['tinc_indirect'] | default(tinc_i
 Address = {{ tinc_remote }}
 {% elif ansible_host != "" %}
 Address = {{ ansible_host }}
-{% endif -%}
+{% endif %}
 
+# auto-propagated subnets
 {% if tinc_subnet is defined %}
 {% if tinc_subnet is not string and tinc_subnet is iterable %}
 {% for subnet in tinc_subnet %}
@@ -26,3 +27,14 @@ Subnet = {{ tinc_subnet }}
 Subnet = {{ tinc_ip }}/32
 {% endif %}
 
+{% if tinc_subnet_hidden is defined %}
+# hidden subnets
+{% if tinc_subnet_hidden is not string and tinc_subnet_hidden is iterable %}
+{% for subnet in tinc_subnet_hidden %}
+Subnet = {{ subnet }}
+{% endfor %}
+{% else %}
+Subnet = {{ tinc_subnet_hidden }}
+{% endif %}
+{% endif %}
+
diff --git a/roles/tinc-config/templates/subnet-up.j2 b/roles/tinc-config/templates/subnet-up.j2
@@ -16,7 +16,7 @@ DN=`dirname "$DN"`
 [ "$?" = "99" ] && exit 0
 
 # add selective route
-if [ -n "$VPN_IPADDR_NODE" ] && [ "${SUBNET%.*}" != "$SUBNET" ]
+if [ -n "$VPN_IPADDR_NODE" ] && [ "${SUBNET%.*}" != "$SUBNET" ] && ! subnet_hidden "$SUBNET"
 then
 	logger -t "tinc.{{ netname }}" "subnet $SUBNET reachable via node $NODE ($VPN_IPADDR_NODE)"
 	ip route add "$SUBNET" via "$VPN_IPADDR_NODE" dev "$INTERFACE"

diff --git a/roles/tinc-config/templates/tinc.conf.j2 b/roles/tinc-config/templates/tinc.conf.j2
@@ -4,13 +4,9 @@
 Name = {{ tinc_host }}
 BindToAddress = * {{ hostvars[inventory_hostname]['tinc_port'] | default(tinc_port)}}
 
-#Device = /dev/net/tun
-#DeviceType = tap
-#DeviceType = tun
-AddressFamily = ipv4
-#Interface = tun0
+#AddressFamily = ipv4
 #Mode = switch
-Mode = router
+Mode = {{ tinc_mode }}
 
 DirectOnly = no
 Broadcast = mst