From 17dddde25237fadaf5ec34c667ea5a05ccf15f03 Mon Sep 17 00:00:00 2001
From: Benjamin Graillot <graillot@crans.org>
Date: Mon, 24 Aug 2020 13:46:07 +0200
Subject: [PATCH] [wireguard] Use nftables on boeing

---
 plays/wireguard.yml                           |  6 ++--
 roles/wireguard/tasks/main.yml                | 26 +++++++++++++++++
 roles/wireguard/templates/nftables.conf       | 29 +++++++++++++++++++
 .../templates/wireguard/sputnik.conf.j2       |  4 +--
 4 files changed, 61 insertions(+), 4 deletions(-)
 create mode 100644 roles/wireguard/templates/nftables.conf

diff --git a/plays/wireguard.yml b/plays/wireguard.yml
index 2de147e1..3ddd0b27 100755
--- a/plays/wireguard.yml
+++ b/plays/wireguard.yml
@@ -8,7 +8,8 @@
       sputnik: true
       private_key: "{{ vault_wireguard_sputnik_private_key }}"
       peer_public_key: "{{ vault_wireguard_boeing_public_key }}"
-  roles: ["wireguard"]
+  roles:
+    - wireguard
 
 - hosts: boeing.adm.crans.org
   vars:
@@ -19,4 +20,5 @@
       if: ens20
       private_key: "{{ vault_wireguard_boeing_private_key }}"
       peer_public_key: "{{ vault_wireguard_sputnik_public_key }}"
-  roles: ["wireguard"]
+  roles:
+    - wireguard
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 06b08d14..0cb16004 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -46,3 +46,29 @@
     name: wg-quick@sputnik
     state: started
     enabled: true
+
+- name: Install nftables
+  apt:
+    name: nftables
+    state: present
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+  when: not wireguard.sputnik
+
+- name: Deploy nftables.conf
+  template:
+    src: nftables.conf
+    dest: /etc/nftables.conf
+    mode: 0644
+    owner: root
+    group: root
+  when: not wireguard.sputnik
+
+- name: Enable and start nftables
+  systemd:
+    name: nftables
+    enabled: true
+    state: started
+  when: not wireguard.sputnik
diff --git a/roles/wireguard/templates/nftables.conf b/roles/wireguard/templates/nftables.conf
new file mode 100644
index 00000000..107c269e
--- /dev/null
+++ b/roles/wireguard/templates/nftables.conf
@@ -0,0 +1,29 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+{% set sputnik_ip = query('ldap', 'ip', 'sputnik', 'adm') %}
+table ip nat {
+	chain prerouting {
+		type nat hook prerouting priority 0; policy accept;
+		ip daddr {{ sputnik_ip }} dnat 172.31.0.2
+	}
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		ip saddr 172.31.0.2 ip protocol icmp snat {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol tcp snat {{ sputnik_ip }}
+		ip saddr 172.31.0.2 ip protocol udp snat {{ sputnik_ip }}
+	}
+}
+
+table inet filter {
+	chain input {
+		type filter hook input priority 0;
+	}
+	chain forward {
+		type filter hook forward priority 0;
+	}
+	chain output {
+		type filter hook output priority 0;
+	}
+}
diff --git a/roles/wireguard/templates/wireguard/sputnik.conf.j2 b/roles/wireguard/templates/wireguard/sputnik.conf.j2
index 4f0ec94a..aa19a227 100644
--- a/roles/wireguard/templates/wireguard/sputnik.conf.j2
+++ b/roles/wireguard/templates/wireguard/sputnik.conf.j2
@@ -17,8 +17,8 @@ Address = 172.31.0.1/30, fd0c:700:0:8::1/64
 ListenPort = 51820
 PrivateKey = {{ wireguard.private_key }}
 
-# PostUp =   ifup   {{ wireguard.if }}; iptables -t nat -A PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -A POSTROUTING -j MASQUERADE; ip6tables -t nat -A PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -A POSTROUTING -j MASQUERADE
-# PostDown = ifdown {{ wireguard.if }}; iptables -t nat -D PREROUTING -d 10.231.136.21 -j DNAT --to-destination 172.31.0.2; iptables -t nat -D POSTROUTING -j MASQUERADE; ip6tables -t nat -D PREROUTING -d 2a0c:700:0:2:73:70ff:fe75:7402/128 -j DNAT --to-destination fd0c:700:0:8::2; ip6tables -t nat -D POSTROUTING -j MASQUERADE
+PostUp =   ifup   {{ wireguard.if }}; systemctl start nftables
+PostDown = ifdown {{ wireguard.if }}; systemctl stop nftables
 
 [Peer]
 PublicKey = {{ wireguard.peer_public_key }}
-- 
GitLab