summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--data/templates/aws/override_aws_gwlbtun.conf.j236
-rw-r--r--data/templates/firewall/nftables.j21
-rw-r--r--debian/control1
-rw-r--r--interface-definitions/service-aws-glb.xml.in127
-rwxr-xr-xsrc/conf_mode/service_aws_glb.py76
-rw-r--r--src/systemd/aws-gwlbtun.service11
6 files changed, 251 insertions, 1 deletions
diff --git a/data/templates/aws/override_aws_gwlbtun.conf.j2 b/data/templates/aws/override_aws_gwlbtun.conf.j2
new file mode 100644
index 000000000..4c566d852
--- /dev/null
+++ b/data/templates/aws/override_aws_gwlbtun.conf.j2
@@ -0,0 +1,36 @@
+{% set args = [] %}
+{% if script.on_create is vyos_defined %}
+{% set _ = args.append("-c " + script.on_create) %}
+{% endif %}
+{% if script.on_destroy is vyos_defined %}
+{% set _ = args.append("-r " + script.on_destroy) %}
+{% endif %}
+
+{% if status.port is vyos_defined %}
+{% set _ = args.append("-p " + status.port) %}
+{% endif %}
+
+{% if threads.tunnel is vyos_defined %}
+{% set _ = args.append("--tunthreads " + threads.tunnel) %}
+{% endif %}
+{% if threads.tunnel_affinity is vyos_defined %}
+{% set _ = args.append("--tunaffinity " + threads.tunnel_affinity) %}
+{% endif %}
+
+{% if threads.udp is vyos_defined %}
+{% set _ = args.append("--udpthreads " + threads.udp) %}
+{% endif %}
+{% if threads.udp_affinity is vyos_defined %}
+{% set _ = args.append("--udpaffinity " + threads.udp_affinity) %}
+{% endif %}
+
+[Unit]
+StartLimitIntervalSec=0
+After=vyos-router.service
+
+[Service]
+EnvironmentFile=
+ExecStart=/usr/bin/gwlbtun {{ args | join(' ') }}
+CapabilityBoundingSet=CAP_NET_ADMIN
+Restart=always
+RestartSec=10
diff --git a/data/templates/firewall/nftables.j2 b/data/templates/firewall/nftables.j2
index 723c9c3a2..db010257d 100644
--- a/data/templates/firewall/nftables.j2
+++ b/data/templates/firewall/nftables.j2
@@ -272,7 +272,6 @@ table bridge vyos_filter {
{{ group_tmpl.groups(group, False, False) }}
}
{% endif %}
-{{ group_tmpl.groups(group, True) }}
table inet vyos_offload
delete table inet vyos_offload
diff --git a/debian/control b/debian/control
index ee45a5fe3..735733956 100644
--- a/debian/control
+++ b/debian/control
@@ -36,6 +36,7 @@ Depends:
accel-ppp,
auditd,
avahi-daemon,
+ aws-gwlbtun,
beep,
bmon,
bsdmainutils,
diff --git a/interface-definitions/service-aws-glb.xml.in b/interface-definitions/service-aws-glb.xml.in
new file mode 100644
index 000000000..c749fd04e
--- /dev/null
+++ b/interface-definitions/service-aws-glb.xml.in
@@ -0,0 +1,127 @@
+<?xml version="1.0"?>
+<interfaceDefinition>
+ <node name="service">
+ <children>
+ <node name="aws">
+ <properties>
+ <help>Amazon Web Service</help>
+ <priority>1280</priority>
+ </properties>
+ <children>
+ <node name="glb" owner="${vyos_conf_scripts_dir}/service_aws_glb.py">
+ <properties>
+ <help>Gateway load-balancer tunnel handler</help>
+ </properties>
+ <children>
+ <node name="script">
+ <properties>
+ <help>Script executed on create or destroy tunnel</help>
+ </properties>
+ <children>
+ <leafNode name="on-create">
+ <properties>
+ <help>Script to run when interface is created</help>
+ <constraint>
+ <validator name="script"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="on-destroy">
+ <properties>
+ <help>Script to run when interface is destroyed</help>
+ <constraint>
+ <validator name="script"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ <node name="status">
+ <properties>
+ <help>Status</help>
+ </properties>
+ <children>
+ <leafNode name="format">
+ <properties>
+ <help>Statistic format</help>
+ <completionHelp>
+ <list>simple full</list>
+ </completionHelp>
+ <valueHelp>
+ <format>simple</format>
+ <description>Simple format</description>
+ </valueHelp>
+ <valueHelp>
+ <format>full</format>
+ <description>Full format</description>
+ </valueHelp>
+ <constraint>
+ <regex>(simple|full)</regex>
+ </constraint>
+ </properties>
+ </leafNode>
+ #include <include/port-number.xml.i>
+ </children>
+ </node>
+ <node name="threads">
+ <properties>
+ <help>Threads settings</help>
+ </properties>
+ <children>
+ <leafNode name="tunnel">
+ <properties>
+ <help>Number of threads for each tunnel processor</help>
+ <valueHelp>
+ <format>u32:1-256</format>
+ <description>Number of threads</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-256"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="tunnel-affinity">
+ <properties>
+ <help>List of cores worker threads</help>
+ <valueHelp>
+ <format>&lt;idN&gt;-&lt;idM&gt;</format>
+ <description>CPU core id range (use '-' as delimiter)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--allow-range --range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="udp">
+ <properties>
+ <help>Number of threads for UDP receiver</help>
+ <valueHelp>
+ <format>u32:1-256</format>
+ <description>Number of threads</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--range 1-256"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ <leafNode name="udp-affinity">
+ <properties>
+ <help>List of cores worker threads</help>
+ <valueHelp>
+ <format>&lt;idN&gt;-&lt;idM&gt;</format>
+ <description>CPU core id range (use '-' as delimiter)</description>
+ </valueHelp>
+ <constraint>
+ <validator name="numeric" argument="--allow-range --range 0-255"/>
+ </constraint>
+ </properties>
+ </leafNode>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+ </children>
+ </node>
+</interfaceDefinition>
diff --git a/src/conf_mode/service_aws_glb.py b/src/conf_mode/service_aws_glb.py
new file mode 100755
index 000000000..d1ed5a07b
--- /dev/null
+++ b/src/conf_mode/service_aws_glb.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 VyOS maintainers and contributors
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2 or later as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+from sys import exit
+
+from vyos.config import Config
+from vyos.template import render
+from vyos.utils.process import call
+from vyos import ConfigError
+from vyos import airbag
+airbag.enable()
+
+systemd_service = 'aws-gwlbtun.service'
+systemd_override = '/run/systemd/system/aws-gwlbtun.service.d/10-override.conf'
+
+
+def get_config(config=None):
+ if config:
+ conf = config
+ else:
+ conf = Config()
+ base = ['service', 'aws', 'glb']
+ if not conf.exists(base):
+ return None
+
+ glb = conf.get_config_dict(base, key_mangling=('-', '_'),
+ get_first_key=True,
+ no_tag_node_value_mangle=True)
+
+ return glb
+
+
+def verify(glb):
+ # bail out early - looks like removal from running config
+ if not glb:
+ return None
+
+
+def generate(glb):
+ if not glb:
+ return None
+
+ render(systemd_override, 'aws/override_aws_gwlbtun.conf.j2', glb)
+
+
+def apply(glb):
+ call('systemctl daemon-reload')
+ if not glb:
+ call(f'systemctl stop {systemd_service}')
+ else:
+ call(f'systemctl restart {systemd_service}')
+ return None
+
+
+if __name__ == '__main__':
+ try:
+ c = get_config()
+ verify(c)
+ generate(c)
+ apply(c)
+ except ConfigError as e:
+ print(e)
+ exit(1)
diff --git a/src/systemd/aws-gwlbtun.service b/src/systemd/aws-gwlbtun.service
new file mode 100644
index 000000000..97d772dec
--- /dev/null
+++ b/src/systemd/aws-gwlbtun.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Description=AWS Gateway Load Balancer Tunnel Handler
+Documentation=https://github.com/aws-samples/aws-gateway-load-balancer-tunnel-handler
+After=network.target
+
+[Service]
+ExecStart=
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target