9 function clear_routed_setup_ipv4 {
11 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
12 while ip rule del dev $INTERFACE; do :; done
13 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
17 function clear_routed_setup_ipv6 {
19 while ip -6 rule del dev $INTERFACE; do :; done
24 function clear_routed_setup_firewall {
26 for oldchain in protected unprotected limited; do
27 iptables -D FORWARD -o $INTERFACE -j $oldchain
28 ip6tables -D FORWARD -o $INTERFACE -j $oldchain
33 function clear_ebtables {
35 runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -i $INTERFACE -j $FROM
36 runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -o $INTERFACE -j $TO
37 #runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO
39 runlocked $RUNLOCKED_OPTS ebtables -X $FROM
40 runlocked $RUNLOCKED_OPTS ebtables -X $TO
44 function clear_nfdhcpd {
46 rm $NFDHCPD_STATE_DIR/$INTERFACE
51 function routed_setup_ipv4 {
53 # mangle ARPs to come from the gw's IP
54 arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
56 # route interface to the proper routing table
57 ip rule add dev $INTERFACE table $TABLE
59 # static route mapping IP -> INTERFACE
60 ip route replace $IP proto static dev $INTERFACE table $TABLE
63 echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
66 function routed_setup_ipv6 {
67 # Add a routing entry for the eui-64
68 prefix=$NETWORK_SUBNET6
69 uplink=$(ip -6 route list table $TABLE | grep "default via" | awk '{print $5}')
70 eui64=$($MAC2EUI64 $MAC $prefix)
73 ip -6 rule add dev $INTERFACE table $TABLE
74 ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
75 ip -6 neigh add proxy $eui64 dev $uplink
77 # disable proxy NDP since we're handling this on userspace
78 # this should be the default, but better safe than sorry
79 echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
82 # pick a firewall profile per NIC, based on tags (and apply it)
83 function routed_setup_firewall {
84 ifprefix="synnefo:network:$INTERFACE_INDEX:"
86 case ${tag#$ifprefix} in
99 if [ "x$chain" != "x" ]; then
100 iptables -A FORWARD -o $INTERFACE -j $chain
101 ip6tables -A FORWARD -o $INTERFACE -j $chain
105 function init_ebtables {
107 runlocked $RUNLOCKED_OPTS ebtables -N $FROM
108 runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
109 runlocked $RUNLOCKED_OPTS ebtables -N $TO
110 runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
115 function setup_ebtables {
117 # do not allow changes in ip-mac pair
119 runlocked $RUNLOCKED_OPTS ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
121 runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP
122 #accept dhcp responses from host (nfdhcpd)
123 runlocked $RUNLOCKED_OPTS ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
124 # allow only packets from the same mac prefix
125 runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
128 function setup_masq {
130 # allow packets from/to router (for masquerading)
131 # runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $NODE_MAC -j ACCEPT
132 # runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
133 # runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
138 function setup_nfdhcpd {
140 FILE=$NFDHCPD_STATE_DIR/$INTERFACE
141 #IFACE is the interface from which the packet seems to arrive
142 #needed in bridged mode where the packets seems to arrive from the
143 #bridge and not from the tap
150 GATEWAY=$NETWORK_GATEWAY
151 SUBNET=$NETWORK_SUBNET
152 GATEWAY6=$NETWORK_GATEWAY6
153 SUBNET6=$NETWORK_SUBNET6
154 EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)