misc/ix_tun.rb: generate tunnel destination config

sorah · sorah · commit 7f39f0829b41 · 2025-09-25T15:09:32.000+09:00
diff --git a/misc/ix_tun.rb b/misc/ix_tun.rb
@@ -1,77 +1,98 @@
+
+# Generate NEC IX commnads to configure venue tunnels
+#
+# Interfaces:
+# "Tunnel#{pop_num}.0" etherip-ipsec to pop (not in scope of this script)
+# "Tunnel1#{peer_tun_num}0.0" etherip-ipsec to venue
+# "Tunnel1#{peer_tun_num}1.0" etherip to venue
+
 require 'ipaddr'
-# Usage: ix_tun.rb hnd br-01
 
-IFACES = %w(bvi0 bvi10 bvi1 bvi11 tun100 tun110 tun101 tun111)
+is_full = ARGV.delete('--full')
 
-ASNS = {
-  hnd: 65001,
-  itm: 65002,
-  venue: 65010,
+peer_address_chars = ('a'..'f').to_a + ('0'..'9').to_a
+peer_addresses = ARGV.map.with_index { |arg,i| 
+  a = IPAddr.new(arg)
+  b = IPAddr.new(a.cidr)
+  if a == b
+    b | IPAddr.new("::dddd:#{peer_address_chars.fetch(i)*4}:0:1")
+  else
+    a
+  end
 }
 
-host_lines = File.read(File.join(__dir__, '..', 'hosts.txt'))
 
-HostInfo = Struct.new(:dc, :network, :cidr, :ip, :name, :iface, :mac, :primary)
-hosts = host_lines.lines.
-  map { |l| HostInfo.new(*l.chomp.split(?\t, 7).map(&:strip), false) }.
-  reject { |_| _.ip.nil? || _.ip.empty? }.
-  group_by { |_| [_.dc, _.name, _.ip.include?(?:)] }.
-  map { |k, ips| ips[0].primary = true; [k, ips] }.
-  to_h
+SiteTun = Data.define(:num, :site, :nexthop, :interface)
 
+SITE_TUNS = [
+  SiteTun.new(1, 'hnd', 'fe80::208:e3ff:feff:fd90%GigaEthernet0.1', 'GigaEthernet0.1'),
+  SiteTun.new(2, 'nrt', 'fe80::a%GigaEthernet0.0', 'GigaEthernet0.0'),
+  SiteTun.new(3, 'itm', 'fe80::a%GigaEthernet0.0', 'GigaEthernet0.0'),
+]
 
-target = ARGV[0,2]
 
-BgpPeer = Struct.new(:ip, :asn, :desc, :mapin, :mapout, :default, keyword_init: true)
-bgp_peers = []
-ospf3_ifaces = []
-IFACES.each do |iface|
-  v4 = (hosts[[*target, false]] || []).find { |is| is.iface == iface }
-  v6 = (hosts[[*target, true]] || []).find { |is| is.iface == iface }
-  canonical = iface.sub(/bvi/,'BVI').sub(/tun(\d+)/, 'Tunnel\1.0')
-  puts "interface #{canonical}"
-  puts "  ip address #{v4.ip}/30"
-  puts "  ipv6 enable"
-  puts "  ipv6 address #{v6.ip}/124"
-  puts "  ipv6 ospf cost #{iface.start_with?('tun') ? 400 : 200}"
-  puts "  ipv6 ospf hello-interval 6"
-  puts "  ipv6 ospf dead-interval 30"
-  puts "!"
+negates = []
+SITE_TUNS.each do |site_tun|
+  puts "!!!!!!!!! #{site_tun.site} !!!!!!!!!"
+  negates << "!!!!!!!!! #{site_tun.site} !!!!!!!!!"
 
-  ospf3_ifaces << [canonical, v6] if v6
+  peer_addresses.each do |peer_address|
+    route = IPAddr.new(peer_address.cidr)
+    puts          "ipv6 route #{route}/#{route.prefix} #{site_tun.nexthop}"
+    negates << "no ipv6 route #{route}/#{route.prefix} #{site_tun.nexthop}"
+  end
+  puts
+  peer_addresses.each_with_index do |peer_address, idx|
+    num = (idx+1) * 10
+    rendered = <<-EOF
+*interface Tunnel#{num}.0
+-  description Downstream: Tun#{site_tun.num}0.0@tun-0#{idx+1}.venue, Gi2.#{site_tun.num}0 [etherip-ipsec]
+-  tunnel mode ether-ip ipsec-ikev2
+-  no ip address
+-  bridge-group #{num+1}
+-  bridge ip tcp adjust-mss 1330
+-  bridge ipv6 tcp adjust-mss 1330
+-  ikev2 connect-type auto
+-  ikev2 ipsec pre-fragment
+-  ikev2 outgoing-interface #{site_tun.interface} #{site_tun.nexthop.sub(/%.+$/, '')}
+-  ikev2 source-address ###TODO###
+-  ikev2 ipsec-mode transport
+-  ikev2 peer any authentication psk id fqdn tun-0#{idx+1}.venue.rubykaigi.net
+*  no shutdown
+*!
+*interface Tunnel#{num+1}.0
+-  description Downstream: Tun#{site_tun.num}1.0@tun-0#{idx+1}.venue, Gi2.#{site_tun.num}1 [etherip]
+-  tunnel mode ether-ip ipv6
+*  tunnel destination #{peer_address.to_s}
+-  tunnel source ###TODO###
+-  no ip address
+-  bridge-group #{num+1}
+-  bridge ip tcp adjust-mss 1330
+-  bridge ipv6 tcp adjust-mss 1330
+*  no shutdown
+-!
+    EOF
 
-  bgppeer = BgpPeer.new
-  v4a = IPAddr.new("#{v4.ip}/30")
-  v4as = v4a.to_range.to_a
-  bgppeer.ip = v4as.index{ |_| _.to_s == v4.ip } == 1 ? v4as[2] : v4as[1]
-  peerinfo = hosts.each_value.to_a.flatten.find { |_| _.ip == bgppeer.ip.to_s }
-  bgppeer.asn = ASNS.fetch(peerinfo.dc.to_sym)
-  bgppeer.desc = canonical
-  bgppeer.mapin = iface.start_with?('tun') ? 'private-in' : 'public-in'
-  bgppeer.mapout = iface.start_with?('tun') ? 'private-out' : 'public-out'
-  bgppeer.default = iface.start_with?('bvi')
+    if is_full
+      puts rendered.gsub(/^./, '')
+    else
+      puts rendered.each_line.grep(/^\*/).join.gsub(/^./, '')
+    end
 
-  bgp_peers << bgppeer
-end
+    negates << "interface Tunnel#{num}.0"
+    negates << "  shutdown"
+    negates << "interface Tunnel#{num+1}.0"
+    negates << "  shutdown"
+  end
 
-puts "ipv6 router ospf 1"
-ospf3_ifaces.each do |(canonical, _)|
-  puts "  network #{canonical} area 0"
+  puts
+  puts
+  negates << nil
+  negates << nil
 end
-puts "!"
 
+puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
+puts "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"
 
-puts "router bgp #{ASNS[ARGV[0].to_sym]}"
-bgp_peers.each do |peer|
-  puts "  neighbor #{peer.ip} remote-as #{peer.asn}"
-  puts "  neighbor #{peer.ip} description #{peer.desc}"
-  puts "  neighbor #{peer.ip} connect-interval 10"
-  puts "  neighbor #{peer.ip} advertisement-interval 6"
-  puts "  neighbor #{peer.ip} timers 6 30"
-end
-puts "  address-family ipv4 unicast"
-bgp_peers.each do |peer|
-  puts "    neighbor #{peer.ip} route-map #{peer.mapin} in"
-  puts "    neighbor #{peer.ip} route-map #{peer.mapout} out"
-  puts "    no neighbor #{peer.ip} send-default "unless peer.default
-end
+puts negates.join("\n")
