3 # This is an example of a Ganeti kvm ifup script that configures network
4 # interfaces based on the initial deployment of the Okeanos project
6 TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-)
7 MAC2EUI64=/usr/bin/mac2eui64
8 NFDHCPD_STATE_DIR=/var/lib/nfdhcpd
10 function clear_routed_setup_ipv4 {
12 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
13 while ip rule del dev $INTERFACE; do :; done
14 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
18 function clear_routed_setup_ipv6 {
20 while ip -6 rule del dev $INTERFACE; do :; done
25 function clear_routed_setup_firewall {
27 for oldchain in protected unprotected limited; do
28 iptables -D FORWARD -o $INTERFACE -j $oldchain
29 ip6tables -D FORWARD -o $INTERFACE -j $oldchain
34 function clear_ebtables {
36 ebtables -D FORWARD -i $TAP -j $FROM
37 ebtables -D FORWARD -o $TAP -j $TO
38 #ebtables -D OUTPUT -o $TAP -j $TO
45 function clear_nfdhcpd {
47 rm $NFDHCPD_STATE_DIR/$INTERFACE
52 function routed_setup_ipv4 {
54 # mangle ARPs to come from the gw's IP
55 arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
57 # route interface to the proper routing table
58 ip rule add dev $INTERFACE table $TABLE
60 # static route mapping IP -> INTERFACE
61 ip route replace $IP proto static dev $INTERFACE table $TABLE
64 echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
67 function routed_setup_ipv6 {
68 # Add a routing entry for the eui-64
69 prefix=$NETWORK_SUBNET6
70 uplink=$(ip -6 route list table $TABLE | grep "default via" | awk '{print $5}')
71 eui64=$($MAC2EUI64 $MAC $prefix)
74 ip -6 rule add dev $INTERFACE table $TABLE
75 ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
76 ip -6 neigh add proxy $eui64 dev $uplink
78 # disable proxy NDP since we're handling this on userspace
79 # this should be the default, but better safe than sorry
80 echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
83 # pick a firewall profile per NIC, based on tags (and apply it)
84 function routed_setup_firewall {
85 ifprefix="synnefo:network:$INTERFACE_INDEX:"
87 case ${tag#$ifprefix} in
100 if [ "x$chain" != "x" ]; then
101 iptables -A FORWARD -o $INTERFACE -j $chain
102 ip6tables -A FORWARD -o $INTERFACE -j $chain
106 function init_ebtables {
109 ebtables -A FORWARD -i $TAP -j $FROM
111 ebtables -A FORWARD -o $TAP -j $TO
116 function setup_ebtables {
118 # do not allow changes in ip-mac pair
120 ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
122 ebtables -A $FROM -s \! $MAC -j DROP
123 #accept dhcp responses from host (nfdhcpd)
124 ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
125 # allow only packets from the same mac prefix
126 ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
129 function setup_masq {
131 # allow packets from/to router (for masquerading)
132 # ebtables -A $TO -s $NODE_MAC -j ACCEPT
133 # ebtables -A INPUT -i $TAP -j $FROM
134 # ebtables -A OUTPUT -o $TAP -j $TO
139 function setup_nfdhcpd {
141 FILE=$NFDHCPD_STATE_DIR/$INTERFACE
142 #IFACE is the interface from which the packet seems to arrive
143 #needed in bridged mode where the packets seems to arrive from the
144 #bridge and not from the tap
151 GATEWAY=$NETWORK_GATEWAY
152 SUBNET=$NETWORK_SUBNET
153 GATEWAY6=$NETWORK_GATEWAY6
154 SUBNET6=$NETWORK_SUBNET6
155 EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
161 source /etc/default/snf-network
167 clear_routed_setup_ipv4 > /dev/null 2>&1
168 clear_routed_setup_ipv6 > /dev/null 2>&1
169 clear_routed_setup_firewall > /dev/null 2>&1
170 clear_ebtables > /dev/null 2>&1
171 clear_nfdhcpd > /dev/null 2>&1
173 if [ "$MODE" = "routed" ]; then
175 ip link set $INTERFACE addr $TAP_CONSTANT_MAC up
177 DROPDHCPREQCMD="iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP"
178 elif [ "$MODE" = "bridged" ]; then
179 ip link set $INTERFACE up
180 brctl addif $BRIDGE $INTERFACE
182 init_ebtables > /dev/null 2>&1
183 DROPDHCPREQCMD="ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"
187 for tag in $NETWORK_TAGS; do
190 routed_setup_ipv4 > /dev/null 2>&1
191 routed_setup_ipv6 > /dev/null 2>&1
192 routed_setup_firewall > /dev/null 2>&1
195 # Drop unicast BOOTP/DHCP packets
196 $DROPDHCPREQCMD > /dev/null 2>&1
197 setup_nfdhcpd > /dev/null 2>&1
200 setup_ebtables > /dev/null 2>&1
203 setup_masq > /dev/null 2>&1