Merge pull request #199 from ruby-no-kai/plat-outer-prefix

hanazuki · web-flow · commit 67ecdd53dc05 · 2025-04-12T02:24:40.000+09:00
plat: Accept prefixes for NAT outer addresses
diff --git a/itamae/helpers.rb b/itamae/helpers.rb
@@ -0,0 +1,45 @@
+module TemplateHelpers
+  # Embed IPv4 address or CIDR in Pref64::/n
+  def embed_v4(pref64n, v4)
+    v4addr, v4prefixlen = v4.split(?/, 2)
+    v6prefixlen = v4prefixlen.to_i + 96 if v4prefixlen
+
+    pref64n.sub('::/96', [sprintf(':%02x%02x:%02x%02x', *v4addr.split(?.).map(&:to_i)), *v6prefixlen].join(?/)) or fail 'pref64n is not /96'
+  end
+
+  # Parse the IPv6 string representation into an array of hextets.
+  def parse_v6addr(str)
+    head, tail = str.split('::', 2)
+    hextets = head.split(?:).map {|h| h.to_i(16) }
+    if tail
+      tail = tail.split(?:).map {|h| h.to_i(16) }
+      hextets << Array.new(8 - hextets.count - tail.count, 0) << tail
+    end
+    fail 'invalid IPv6 addr' if hextets.size != 8
+    hextets
+  end
+
+  # Format the array of hextets into IPv6 string representation.
+  def format_v6addr(addr)
+    addr.map {|h| h.to_s(16) }.join(?:)
+  end
+
+  # Convert IPv6 CIDR to min-max range
+  def v6range(v6cidr)
+    v6addr, v6prefixlen = v6cidr.split(?/, 2)
+    v6prefixlen = v6prefixlen&.to_i
+    return "[#{v6addr}]" if !v6prefixlen || v6prefixlen == 128
+    v6addr = parse_v6addr(v6addr)
+
+    hostmask = 8.times.map do |i|
+      n = (i+1) * 16 - v6prefixlen
+      n > 0 ? (1 << n) - 1 : 0
+    end
+
+    min = v6addr.zip(hostmask).map {|a, b| a & ~b }
+    max = v6addr.zip(hostmask).map {|a, b| a | b }
+    "[#{format_v6addr(min)}]-[#{format_v6addr(max)}]"
+  end
+end
+
+MItamae::ResourceExecutor::Template::RenderContext.include(TemplateHelpers)
diff --git a/itamae/hosts/nat-61.venue.rubykaigi.net/default.rb b/itamae/hosts/nat-61.venue.rubykaigi.net/default.rb
@@ -4,8 +4,8 @@
   },
   plat: {
     nat64: {
-      outer_public: '192.50.220.162',
-      outer_private: '10.33.40.162',
+      outer_public: '192.50.220.162/32',
+      outer_private: '10.33.40.162/32',
     },
     interfaces: {
       loopback: {
diff --git a/itamae/hosts/nat-62.venue.rubykaigi.net/default.rb b/itamae/hosts/nat-62.venue.rubykaigi.net/default.rb
@@ -4,8 +4,8 @@
   },
   plat: {
     nat64: {
-      outer_public: '192.50.220.163',
-      outer_private: '10.33.40.163',
+      outer_public: '192.50.220.163/32',
+      outer_private: '10.33.40.163/32',
     },
     interfaces: {
       loopback: {
diff --git a/itamae/hosts/nat-69.tkyk.rubykaigi.net/default.rb b/itamae/hosts/nat-69.tkyk.rubykaigi.net/default.rb
@@ -1,8 +1,8 @@
 node.reverse_merge!(
   plat: {
     nat64: {
-      outer_public: '192.50.220.166',
-      outer_private: '10.33.40.64',
+      outer_public: '192.50.220.166/32',
+      outer_private: '10.33.40.64/29',
     },
     interfaces: {
       loopback: {
diff --git a/itamae/roles/plat/templates/etc/bird/bird.conf.d/plat.conf b/itamae/roles/plat/templates/etc/bird/bird.conf.d/plat.conf
@@ -66,10 +66,10 @@ protocol static {
     table static4;
   };
 
-  route <%= node.dig(:plat, :nat64).fetch(:outer_private) %>/32 via "tun-siit" {
+  route <%= node.dig(:plat, :nat64).fetch(:outer_private) %> via "tun-siit" {
     bgp_community.add((C_SELF,C_CTL_ALLOW_OUTSIDE));
   };
-  route <%= node.dig(:plat, :nat64).fetch(:outer_public) %>/32 via "tun-siit" {
+  route <%= node.dig(:plat, :nat64).fetch(:outer_public) %> via "tun-siit" {
     bgp_community.add((C_SELF,C_CTL_ALLOW_OUTSIDE));
   };
 }
diff --git a/itamae/roles/plat/templates/etc/nftables/plat.conf b/itamae/roles/plat/templates/etc/nftables/plat.conf
@@ -1,12 +1,5 @@
 # vim: ft=nftables
 <%-
-def embed_v4(v6prefix, v4)
-  v4addr, v4prefixlen = v4.split(?/, 2)
-  v6prefixlen = v4prefixlen.to_i + 96 if v4prefixlen
-
-  v6prefix.sub('::/96', [sprintf(':%02x%02x:%02x%02x', *v4.split(?.).map(&:to_i)), *v6prefixlen].join(?/)) or fail 'v6prefix is not /96'
-end
-
 nat64 = node.dig(:plat, :nat64)
 outer_public = nat64.fetch(:outer_public)
 outer_private = nat64.fetch(:outer_private)
@@ -59,12 +52,12 @@ table inet plat {
   }
 
   chain srcnat_private {
-    meta l4proto {tcp, udp} counter snat ip6 to <%= embed_v4(internal, outer_private) %>:1024-65535
+    meta l4proto {tcp, udp} counter snat ip6 to <%= v6range(embed_v4(internal, outer_private)) %>:1024-65535
     counter snat ip6 to <%= embed_v4(internal, outer_private) %>
   }
 
   chain srcnat_public {
-    meta l4proto {tcp, udp} counter snat ip6 to <%= embed_v4(internal, outer_public) %>:1024-65535
+    meta l4proto {tcp, udp} counter snat ip6 to <%= v6range(embed_v4(internal, outer_public)) %>:1024-65535
     counter snat ip6 to <%= embed_v4(internal, outer_public) %>
   }
 
diff --git a/itamae/site.rb b/itamae/site.rb
@@ -1,3 +1,5 @@
+include_recipe './helpers'
+
 execute "apt-get update" do
   action :nothing
 end

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,5 @@`
	`1`	`+include_recipe './helpers'`
	`2`	`+`
`1`	`3`	`execute "apt-get update" do`
`2`	`4`	`action :nothing`
`3`	`5`	`end`