diff --git a/files/bataddif.sh.j2 b/files/bataddif.sh.j2
index e0fc221..42328e5 100644
--- a/files/bataddif.sh.j2
+++ b/files/bataddif.sh.j2
@@ -1,30 +1,8 @@
#!/bin/bash
INTERFACE="$3"
-#MAC="$8"
-#BLACKLISTFILE=/opt/freifunk/blockliste.txt
-batctl=/usr/local/sbin/batctl
+MAC="$8"
+brctl=/sbin/brctl
-#if [ -f /opt/freifunk/blockliste.txt ]
-
-#if [ -f $BLACKLISTFILE ]
-# then
-# BLOCKLISTE=$(cat /opt/freifunk/blockliste.txt)
-# else
-# touch=$BLOCKLISTE
-#fi
-
-#for i in $BLOCKLISTE;
-#do
-# if [[ $i == $MAC ]]; then
-# exit 1
-# fi
-#done
-
-#ip link set address {{ sn_mesh_MAC }} dev $INTERFACE
-#ifconfig $INTERFACE hw ether {{ sn_mesh_MAC }}
/bin/ip link set dev $INTERFACE up mtu 1312
-#/sbin/sysctl net.ipv4.conf.$INTERFACE.rp_filter=0
-
-$batctl if add $INTERFACE
-
-echo "enabled" > /sys/devices/virtual/net/$INTERFACE/batman_adv/no_rebroadcast
+#echo "enabled" > /sys/devices/virtual/net/$INTERFACE/batman_adv/no_rebroadcast
+$brctl addif br-nodes $INTERFACE
diff --git a/files/batdelif.sh b/files/batdelif.sh
index 65fc46d..029b3ca 100644
--- a/files/batdelif.sh
+++ b/files/batdelif.sh
@@ -1,4 +1,4 @@
#!/bin/bash
INTERFACE="$3"
-/usr/local/sbin/batctl if del $INTERFACE
+/sbin/brctl delif br-nodes $INTERFACE
diff --git a/files/collectd.conf.j2 b/files/collectd.conf.j2
index fc11d7f..0313b74 100644
--- a/files/collectd.conf.j2
+++ b/files/collectd.conf.j2
@@ -30,7 +30,7 @@ LoadPlugin filecount
Instance "tunneldigger-connections"
- Name "l2tp1*"
+ Name "l2tp*"
diff --git a/files/collectd_td_stat.sh b/files/collectd_td_stat.sh
index a8de947..d600d80 100644
--- a/files/collectd_td_stat.sh
+++ b/files/collectd_td_stat.sh
@@ -6,9 +6,11 @@ fi
#Remove old Interfaces
rm /opt/freifunk/tunneldigger_interfaces/*
#Create Interace files
-for i in `/usr/local/sbin/batctl if | grep l2tp1`;
+for i in `/sbin/brctl show br-nodes | grep l2tp`;
do
touch /opt/freifunk/tunneldigger_interfaces/$i
done
-#Remove Active file
-rm /opt/freifunk/tunneldigger_interfaces/active
+#Remove wrong file
+rm /opt/freifunk/tunneldigger_interfaces/no
+rm /opt/freifunk/tunneldigger_interfaces/br-*
+rm /opt/freifunk/tunneldigger_interfaces/8*
diff --git a/files/keepalive.exit.sh.j2 b/files/keepalive.exit.sh.j2
new file mode 100644
index 0000000..a99b670
--- /dev/null
+++ b/files/keepalive.exit.sh.j2
@@ -0,0 +1,29 @@
+#!/bin/sh
+#
+# -q quiet
+# -c nb of pings
+
+HOST1=8.8.8.8
+HOST2=8.8.4.4
+BATCTL=/usr/local/sbin/batctl
+
+ping -q -c5 $HOST1 > /dev/null
+if [ $? -eq 0 ]
+then
+ echo "ok"
+ $BATCTL gw server 100Mbit/100Mbit
+else
+
+ echo "$HOST1 NICHT ok"
+ ping -q -c5 $HOST2 > /dev/null
+ if [ $? -eq 0 ]
+ then
+ echo "$HOST2 ok"
+ $BATCTL gw server 100Mbit/100Mbit
+ else
+ echo "$HOST2 NICHT ok"
+ $BATCTL gw off
+ fi
+
+fi
+
diff --git a/files/keepalive.sh b/files/keepalive.sh
index f471a45..19c28dc 100644
--- a/files/keepalive.sh
+++ b/files/keepalive.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# Version 1.5
+# Version 1.6
# Parameter setzen
GATEWAY1ext=185.66.193.105
GATEWAY2ext=185.66.193.106
@@ -24,7 +24,7 @@ if [ $(hostname) = "troisdorf1" ] || [ $(hostname) = "troisdorf2" ]
DEFAULT_GATEWAY=$GATEWAY2
DEFAULT_GATEWAYext=$GATEWAY2ext
FALLBACK_GATEWAY=$GATEWAY1
- FALLBACK_GATEWAY=$GATEWAY1ext
+ FALLBACK_GATEWAYext=$GATEWAY1ext
DEFAULT_GATEWAYv6=$GATEWAY2v6
FALLBACK_GATEWAYv6=$GATEWAY1v6
diff --git a/files/l2tp_backbone.sh.exit.j2 b/files/l2tp_backbone.sh.exit.j2
index bd86c0b..f9bca4c 100644
--- a/files/l2tp_backbone.sh.exit.j2
+++ b/files/l2tp_backbone.sh.exit.j2
@@ -2,8 +2,8 @@
# Version 6
# Der servername muss mit einer einstelligen Zahl aufhoeren!!!!!
communityname="troisdorf"
-#server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9"
-server="troisdorf7 {{ sn_hostname }}"
+server="troisdorf1 troisdorf2 troisdorf3 troisdorf4 troisdorf5 troisdorf6 troisdorf7 troisdorf8 troisdorf9"
+#server="troisdorf7 {{ sn_hostname }}"
domain="freifunk-troisdorf.de"
mtu={{ sn_mtu }}
# community MAC address, without the last Byte (:)!
@@ -54,5 +54,8 @@ $ip -6 addr add $communitynetworkv6$octet3rd:${localserver#$communityname}/64 de
$alfred -i bat0 > /dev/null 2>&1 &
/bin/sleep 15
$batadv -i bat0 -s > /dev/null 2>&1 &
-/usr/sbin/service bind9 restart
-/usr/local/sbin/batctl gw client 3
+/bin/systemctl restart isc-dhcp-server
+/bin/systemctl restart bind9
+#/usr/local/sbin/batctl gw client 3
+/usr/local/sbin/batctl gw server 100Mbit/100Mbit
+
diff --git a/files/sn_startup.exit.sh.j2 b/files/sn_startup.exit.sh.j2
index b8c11fd..f99fcc8 100644
--- a/files/sn_startup.exit.sh.j2
+++ b/files/sn_startup.exit.sh.j2
@@ -1,4 +1,5 @@
#!/bin/sh
+# Version 1.7
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
@@ -45,11 +46,23 @@ done
# Allow MAC address spoofing
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
+# Create Tunneldigger Bridge
+/sbin/brctl addbr br-nodes
+/sbin/ip link set dev br-nodes up
+/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
+/usr/local/sbin/batctl if add br-nodes
+
sleep 5
-# stop tunneldigger
-/bin/systemctl disable tunneldigger
-/bin/systemctl stop tunneldigger
+# Fixing the nf_conntrack … dropping packets error
+# hashsize = nf_conntrack_max / 4
+sysctl -w net.netfilter.nf_conntrack_max=131072
+echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
+
+# Against Denial of Service attacks from internal network
+# Check with: sysctl -a | grep conntrack | grep timeout
+sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
+sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
# restart bird
/bin/systemctl start bird
@@ -57,12 +70,12 @@ sleep 5
/bin/systemctl enable bird
/bin/systemctl enable bird6
-# stop radvd
-/bin/systemctl disable radvd
-/bin/systemctl stop radvd
+# Start tunneldigger
+/bin/systemctl restart tunneldigger
+/bin/systemctl enable tunneldigger
-# restart DHCP
-/bin/systemctl disable isc-dhcp-server
-/bin/systemctl stop isc-dhcp-server
+# radvd restart
+/bin/systemctl restart radvd
+/bin/systemctl enable radvd
exit 0
diff --git a/files/sn_startup.sh.j2 b/files/sn_startup.sh.j2
index dd4550d..276e10e 100644
--- a/files/sn_startup.sh.j2
+++ b/files/sn_startup.sh.j2
@@ -1,4 +1,5 @@
#!/bin/sh
+# Version 1.7
curl -X POST --data-urlencode 'payload={"text": "{{ sn_hostname }} is rebooted", "channel": "#technik", "username": "{{ sn_hostname }}", "icon_emoji": ":floppy_disk:"}' https://hooks.slack.com/services/{{ slack_token }}
@@ -40,8 +41,24 @@ done
# Allow MAC address spoofing
/sbin/sysctl net.ipv4.conf.bat0.rp_filter=0
+# Create Tunneldigger Bridge
+/sbin/brctl addbr br-nodes
+/sbin/ip link set dev br-nodes up
+/sbin/ebtables -A FORWARD --logical-in br-nodes -j DROP
+/usr/local/sbin/batctl if add br-nodes
+
sleep 5
+# Fixing the nf_conntrack … dropping packets error
+# hashsize = nf_conntrack_max / 4
+sysctl -w net.netfilter.nf_conntrack_max=131072
+echo 32768 > /sys/module/nf_conntrack/parameters/hashsize
+
+# Against Denial of Service attacks from internal network
+# Check with: sysctl -a | grep conntrack | grep timeout
+sysctl -w net.ipv4.netfilter.ip_conntrack_generic_timeout=240
+sysctl -w net.ipv4.netfilter.ip_conntrack_tcp_timeout_established=54000
+
# Start tunneldigger
/bin/systemctl restart tunneldigger
/bin/systemctl enable tunneldigger
diff --git a/install.sn.yml b/install.sn.yml
index 1a8d4d0..d836102 100644
--- a/install.sn.yml
+++ b/install.sn.yml
@@ -9,7 +9,7 @@
user: root
gather_facts: False
vars:
- snversion: master_v2.1
+ snversion: master_v3.0.0
batmanversion: v2015.2
common_required_packages:
- git
@@ -71,8 +71,8 @@
raw: "sed -i '/deb cdrom/c\\#' /etc/apt/sources.list"
- name: Make this server ansible compatible
raw: "apt-get update && apt-get install python -y"
- - name: Add backport repo to source list #target: /etc/apt/sources.list.d
- apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present
+# - name: Add backport repo to source list #target: /etc/apt/sources.list.d
+# apt_repository: repo='deb http://http.debian.net/debian jessie-backports main' state=present
- name: Update apt cache
apt: update_cache=yes
- name: Gathering facts
@@ -192,25 +192,26 @@
with_items: logrotate_config
- name: Create freifunk directory
file: path=/opt/freifunk state=directory mode=0755
- - name: Check gateway / keepalive script
+ - name: Check gateway / keepalive script supernode
copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500
with_items: check_gw_script
register: check_gw
when: sn_exit is undefined
+ - name: Check gateway / keepalive script super- and exitnode
+ template: src=./files/keepalive.exit.sh.j2 dest=/opt/freifunk/keepalive.sh owner=root group=root mode=0500
+ register: check_gw
+ when: sn_exit is defined
- name: Add cron job with check gateway script
cron: name=check_gw job="/opt/freifunk/keepalive.sh > /dev/null 2>&1" user="root"
when: check_gw.changed
-
- name: Tunneldigger stats
copy: src=./files/{{ item }} dest=/opt/freifunk owner=root group=root mode=0500
with_items: tunneld_stats_file
register: tunneld_stats
- when: sn_exit is undefined
+# when: sn_exit is undefined
- name: Add cron job tunneldigger stats
cron: name=tunneld_stats job="/opt/freifunk/collectd_td_stat.sh > /dev/null 2>&1" user="root"
when: tunneld_stats.changed
-
-
- name: Copy dhcpd template file
template: src=./files/dhcpd.conf.j2 dest=/etc/dhcp/dhcpd.conf owner=root group=root mode=0444
register: dhcpd
@@ -229,23 +230,24 @@
cron: name=backbone special_time=reboot job="/opt/freifunk/l2tp_backbone.sh"
- name: Add cron startup script
cron: name=startup special_time=reboot job="/opt/freifunk/sn_startup.sh"
-
- name: Copy backbone script
template: src=./files/l2tp_backbone.sh.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544
when: sn_exit is undefined
- name: Copy backbone script
template: src=./files/l2tp_backbone.sh.exit.j2 dest=/opt/freifunk/l2tp_backbone.sh owner=root group=root mode=0544
when: sn_exit is defined
-
- name: Collectd template file
template: src=./files/collectd.conf.j2 dest=/etc/collectd/collectd.conf owner=root group=root mode=0444
register: collectd
- name: Restart collectd
service: name=collectd state=restarted
when: collectd.changed
- - name: configure startup script
+ - name: configure startup script supernode
template: src=./files/sn_startup.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
when: sn_exit is undefined
+ - name: Exit node startup script super- and exitnode
+ template: src=./files/sn_startup.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
+ when: sn_exit is defined
- name: SSH authorized_keys
copy: src=./files/{{ item }} dest=/root/.ssh owner=root group=root mode=0400
with_items: authorized_keys
@@ -265,9 +267,6 @@
- name: Interface configuration with ffrl gre tunnel
copy: src=./files/interfaces-{{ sn_hostname }} dest=/etc/network/interfaces owner=root group=root mode=0544
when: sn_exit is defined
- - name: Exit node startup script
- template: src=./files/sn_startup.exit.sh.j2 dest=/opt/freifunk/sn_startup.sh owner=root group=root mode=0500
- when: sn_exit is defined
- apt: update_cache=yes
- name: Install bird
apt: state=installed pkg=bird