Setting Up The Linux Routers With Cfengine

This is section from my web pages Musings/Experiments With A Virtual Data Center

Conectivity between the datacenters and the backbone network is via Linux routers. These routers are tri homed hosts with interfaces to two datacenter networks, eth0 and eth1, and a connection to the backbone network, eth2. The network interface and network number assignments are:

Interface Datacenter
Interface Datacenter
Interface Backbone
Palo Alto ethX ethX eth2
San Francisco ethX ethX eth2
New York ethX ethX eth2

The initial configuration of the network interfaces was handlled by the InitClient script I wrote that is run when the Linux router was first cloned from the generic vmhost.

Enabling IP forwarding on the routers

To enable IP forwarding on the routers the /etc/sysctl.conf file needs to be editied to change the value 0 to 1 in the line:
net.ipv4.ip_forward = 0

This can be done in cfengine with editing command in the editfiles: section of the cfagent configuration file:

We do not want to enable IP forwarding on all the hosts so we need to limit the application of the edit. You do this cfengine using "classes". There are a multitue of classes that cfengine automaically defines including classes based on IP networks the host is connected to and IP addresses used by the host.

The cfengine macro we will used is ipv4_172_16_32. All of the Linux routers are connected to the backbone network so they will have this network class set.

1: editfiles:

2:   ipv4_172_16_32::

3:     { /etc/sysctl.conf

4:       AutoCreate
5:       BeginGroupIfNoLineMatching "^net.ipv4.ip_forward =.*"
6:         Append "net.ipv4.ip_forward ="
7:       EndGroup
8:       LocateLineMatching "^net.ipv4.ip_forward =.*"
9:       ReplaceLineWith "net.ipv4.ip_forward = 1"

10:    }

Line 2 is the class test. The edit will only be made if the host has the class ipv4_172_16_32 set. Line 3 indicates which file to edit. Line 4 will create the sysctl.conf file if it does not exist. Lines 5-7 are used to add a net.ipv4.ip_forward = if the line is not found in the existing sysctl.conf file. Lines 8-9 locate the net.ipv4.ip_forward = line in the file and replaces it with the same line with the value set to 1.

Allowing packet routing in the iptables on the routers

While enabling IP forwarding will allow the kernel to forward packets, the packets will be blocked by the iptables packet filtering rules. In this first pass of configuring the routers we will simply open iptables wide open:
# A wide open router configuration
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth2 -j ACCEPT
-A FORWARD -i eth0 -o eth2 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -j ACCEPT
-A FORWARD -i eth2 -o eth0 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -j ACCEPT
Since there will be many files that we will want to push from the cfengine master to the routers will will create a routers sub-directory in the /home/masterfiles directory. Files to be pushed to the servers will be stored in their normal path below the routers directory. So the iptables file will be stored in /home/masterfiles/routers/etc/sysconfig/iptables.

The file will be pushed to the routers in the copy: section of the cfagent configuration. Again we test the the class ipv4_172_16_32 and only install the file only on hosts with this class set.


  $(master_dir)/routers/etc/sysconfig/iptables  dest=/etc/sysconfig/iptables
                                type=checksum server=$(policyhost)

Installing a resolv.conf file on the routers

Installing static routes to the other data centers