From 12cfafb62b0526c7e11e42d975745312911e161d Mon Sep 17 00:00:00 2001 From: Tom Laermans Date: Mon, 19 Jun 2023 17:39:10 +0200 Subject: [PATCH 1/2] Add table configuration support for both wg-quick (tested) and systemd (untested) --- manifests/interface.pp | 3 +++ manifests/provider/systemd.pp | 2 ++ manifests/provider/wgquick.pp | 2 ++ templates/netdev.epp | 4 ++++ templates/wireguard_conf.epp | 4 ++++ 5 files changed, 15 insertions(+) diff --git a/manifests/interface.pp b/manifests/interface.pp index eede447..cc8ecb7 100644 --- a/manifests/interface.pp +++ b/manifests/interface.pp @@ -6,6 +6,7 @@ # @param input_interface ethernet interface where the wireguard packages will enter the system, used for firewall rules # @param manage_firewall if true, a nftables rule will be created # @param dport destination for firewall rules / where our wg instance will listen on. defaults to the last digits from the title +# @param table Routing table to add routes to # @param firewall_mark netfilter firewall mark to set on outgoing packages from this wireguard interface # @param source_addresses an array of ip addresses from where we receive wireguard connections # @param destination_addresses array of addresses where the remote peer connects to (our local ips), used for firewalling @@ -101,6 +102,7 @@ Array[Stdlib::IP::Address] $destination_addresses = delete_undef_values([$facts['networking']['ip'], $facts['networking']['ip6'],]), String[1] $interface = $title, Integer[1024, 65000] $dport = Integer(regsubst($title, '^\D+(\d+)$', '\1')), + Optional[String[1]] $table = undef, Optional[Integer[0, 4294967295]] $firewall_mark = undef, String[1] $input_interface = $facts['networking']['primary'], Boolean $manage_firewall = $facts['os']['family'] ? { 'Gentoo' => false, default => true }, @@ -334,6 +336,7 @@ interface => $interface, peers => $peers + $peer, dport => $dport, + table => $table, firewall_mark => $firewall_mark, addresses => $addresses, preup_cmds => $preup_cmds, diff --git a/manifests/provider/systemd.pp b/manifests/provider/systemd.pp index 0f93d0b..b898d8a 100644 --- a/manifests/provider/systemd.pp +++ b/manifests/provider/systemd.pp @@ -6,6 +6,7 @@ Enum['present', 'absent'] $ensure = 'present', Wireguard::Peers $peers = [], Integer[1024, 65000] $dport = Integer(regsubst($title, '^\D+(\d+)$', '\1')), + Optional[String[1]] $table = undef, Optional[Integer[0,4294967295]] $firewall_mark = undef, Array[Hash[String,Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $addresses = [], Optional[String[1]] $description = undef, @@ -25,6 +26,7 @@ content => epp("${module_name}/netdev.epp", { 'interface' => $interface, 'dport' => $dport, + 'table' => $table, 'firewall_mark' => $firewall_mark, 'description' => $description, 'mtu' => $mtu, diff --git a/manifests/provider/wgquick.pp b/manifests/provider/wgquick.pp index f939489..b302c53 100644 --- a/manifests/provider/wgquick.pp +++ b/manifests/provider/wgquick.pp @@ -6,6 +6,7 @@ Enum['present', 'absent'] $ensure = 'present', Wireguard::Peers $peers = [], Integer[1024, 65000] $dport = Integer(regsubst($title, '^\D+(\d+)$', '\1')), + Optional[String[1]] $table = undef, Optional[Integer[0,4294967295]] $firewall_mark = undef, Array[Hash[String,Variant[Stdlib::IP::Address::V4,Stdlib::IP::Address::V6]]] $addresses = [], Array[String[1]] $preup_cmds = [], @@ -19,6 +20,7 @@ $params = { 'interface' => $interface, 'dport' => $dport, + 'table' => $table, 'firewall_mark' => $firewall_mark, 'mtu' => $mtu, 'peers' => $peers, diff --git a/templates/netdev.epp b/templates/netdev.epp index 71dbffc..96e9334 100644 --- a/templates/netdev.epp +++ b/templates/netdev.epp @@ -1,5 +1,6 @@ <%- | String[1] $interface, Stdlib::Port $dport, + Optional[String[1]] $table, Optional[Integer] $firewall_mark, Wireguard::Peers $peers, Optional[String] $description, @@ -21,6 +22,9 @@ MTUBytes=<%= $mtu %> [WireGuard] PrivateKeyFile=/etc/wireguard/<%= $interface %> ListenPort=<%= $dport %> +<% if $table { -%> +RouteTable=<%= $table %> +<% } -%> <% if $firewall_mark { -%> FirewallMark=<%= $firewall_mark %> <% } -%> diff --git a/templates/wireguard_conf.epp b/templates/wireguard_conf.epp index b0faa47..917dd7d 100644 --- a/templates/wireguard_conf.epp +++ b/templates/wireguard_conf.epp @@ -1,6 +1,7 @@ <%- | String[1] $interface, Stdlib::Port $dport, + Optional[String[1]] $table, Optional[Integer] $firewall_mark, Wireguard::Peers $peers, Array[Hash] $addresses, @@ -20,6 +21,9 @@ <% } -%> <% } -%> ListenPort=<%= $dport %> +<% if $table { -%> +Table=<%= $table %> +<% } -%> <% if $firewall_mark { -%> FwMark=<%= $firewall_mark %> <% } -%> From ad8fe3a583ea6f2d50677a3369e884991e8fe717 Mon Sep 17 00:00:00 2001 From: Tom Laermans Date: Sat, 24 Jun 2023 13:23:49 +0200 Subject: [PATCH 2/2] Update REFERENCE.md Add `table` parameter documentation into REFERENCE.md --- REFERENCE.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/REFERENCE.md b/REFERENCE.md index 48867f2..405c4dc 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -196,6 +196,7 @@ The following parameters are available in the `wireguard::interface` defined typ * [`input_interface`](#-wireguard--interface--input_interface) * [`manage_firewall`](#-wireguard--interface--manage_firewall) * [`dport`](#-wireguard--interface--dport) +* [`table`](#-wireguard--interface--table) * [`firewall_mark`](#-wireguard--interface--firewall_mark) * [`source_addresses`](#-wireguard--interface--source_addresses) * [`destination_addresses`](#-wireguard--interface--destination_addresses) @@ -256,6 +257,14 @@ destination for firewall rules / where our wg instance will listen on. defaults Default value: `Integer(regsubst($title, '^\D+(\d+)$', '\1'))` +##### `table` + +Data type: `Optional[String[1]]` + +Routing table to add routes to + +Default value: `undef` + ##### `firewall_mark` Data type: `Optional[Integer[0, 4294967295]]`