3 source /etc/default/snf-network
11 function clear_routed_setup_ipv4 {
13 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
14 while ip rule del dev $INTERFACE; do :; done
15 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
19 function clear_routed_setup_ipv6 {
21 while ip -6 rule del dev $INTERFACE; do :; done
25 function delete_neighbor_proxy {
28 get_eui64 $MAC $NETWORK_SUBNET6
30 if [ -z "$EUI64" -z -o "$UPLINK" ]; then
34 $SNF_NETWORK_LOG $0 "ip -6 neigh del proxy $EUI64 dev $UPLINK"
35 ip -6 neigh del proxy $EUI64 dev $UPLINK
39 function clear_routed_setup_firewall {
41 for oldchain in protected unprotected limited; do
42 iptables -D FORWARD -o $INTERFACE -j $oldchain
43 ip6tables -D FORWARD -o $INTERFACE -j $oldchain
48 function clear_ebtables {
50 runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -i $INTERFACE -j $FROM
51 runlocked $RUNLOCKED_OPTS ebtables -D INPUT -i $INTERFACE -j $FROM
52 runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -o $INTERFACE -j $TO
53 runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO
55 runlocked $RUNLOCKED_OPTS ebtables -X $FROM
56 runlocked $RUNLOCKED_OPTS ebtables -X $TO
60 function clear_nfdhcpd {
62 rm $NFDHCPD_STATE_DIR/$INTERFACE
67 function routed_setup_ipv4 {
69 if [ -z "$INTERFACE" -o -z "$NETWORK_GATEWAY" -o -z "$IP" -o -z "$TABLE" ]
74 # mangle ARPs to come from the gw's IP
75 arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
77 # route interface to the proper routing table
78 ip rule add dev $INTERFACE table $TABLE
80 # static route mapping IP -> INTERFACE
81 ip route replace $IP proto static dev $INTERFACE table $TABLE
84 echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
91 if [ -z "$IP" -o -z "$UPLINK" ]; then
95 # Send GARP from host to upstream router
96 echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
97 $SNF_NETWORK_LOG $0 "arpsend -U -i $IP -c1 $UPLINK"
98 arpsend -U -i $IP -c1 $UPLINK
99 echo 0 > /proc/sys/net/ipv4/ip_nonlocal_bind
103 function routed_setup_ipv6 {
104 # Add a routing entry for the eui-64
105 get_uplink $TABLE "-6"
106 get_eui64 $MAC $NETWORK_SUBNET6
108 if [ -z "$EUI64" -o -z "$TABLE" -o -z "$INTERFACE" -o -z "$UPLINK" ]
113 ip -6 rule add dev $INTERFACE table $TABLE
114 ip -6 ro replace $EUI64/128 dev $INTERFACE table $TABLE
115 ip -6 neigh add proxy $EUI64 dev $UPLINK
117 # disable proxy NDP since we're handling this on userspace
118 # this should be the default, but better safe than sorry
119 echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
121 # Send Unsolicited Neighbor Advertisement
122 $SNF_NETWORK_LOG $0 "ndsend $EUI64 $UPLINK"
123 ndsend $EUI64 $UPLINK
127 # pick a firewall profile per NIC, based on tags (and apply it)
128 function routed_setup_firewall {
129 # for latest ganeti there is no need to check other but uuid
130 ifprefixindex="synnefo:network:$INTERFACE_INDEX:"
131 ifprefixname="synnefo:network:$INTERFACE_NAME:"
132 ifprefixuuid="synnefo:network:$INTERFACE_UUID:"
134 tag=${tag#$ifprefixindex}
135 tag=${tag#$ifprefixname}
136 tag=${tag#$ifprefixuuid}
150 if [ "x$chain" != "x" ]; then
151 iptables -A FORWARD -o $INTERFACE -j $chain
152 ip6tables -A FORWARD -o $INTERFACE -j $chain
156 function init_ebtables {
158 runlocked $RUNLOCKED_OPTS ebtables -N $FROM -P RETURN
159 runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
160 # This is needed for multicast packets
161 runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
163 runlocked $RUNLOCKED_OPTS ebtables -N $TO -P RETURN
164 runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
165 # This is needed for multicast packets
166 runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
171 function setup_ebtables {
173 # do not allow changes in ip-mac pair
174 if [ -n "$IP" ]; then
175 :; # runlocked $RUNLOCKED_OPTS ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
177 runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP
178 # accept dhcp responses from host (nfdhcpd)
179 # this is actually not needed because nfdhcpd opens a socket and binds is with
180 # tap interface so dhcp response does not go through bridge
181 # runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $INDEV_MAC -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
182 # allow only packets from the same mac prefix
183 runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
186 function setup_masq {
188 # allow packets from/to router (for masquerading)
189 # runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $NODE_MAC -j ACCEPT
190 # runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
191 # runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
196 function setup_nfdhcpd {
198 FILE=$NFDHCPD_STATE_DIR/$INTERFACE
199 #IFACE is the interface from which the packet seems to arrive
200 #needed in bridged mode where the packets seems to arrive from the
201 #bridge and not from the tap
208 GATEWAY=$NETWORK_GATEWAY
209 SUBNET=$NETWORK_SUBNET
210 GATEWAY6=$NETWORK_GATEWAY6
211 SUBNET6=$NETWORK_SUBNET6
212 EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
217 function get_uplink {
221 UPLINK=$(ip $version route list table $table | grep "default via" | awk '{print $5}')
222 $SNF_NETWORK_LOG $0 "* uplink for table $table is $UPLINK"
226 # Because we do not have IPv6 value in our environment
227 # we caclulate it based on the NIC's MAC and the IPv6 subnet (if any)
228 # first argument MAC second IPv6 subnet
229 # Changes global value EUI64
235 if [ -z "$prefix" ]; then
238 EUI64=$($MAC2EUI64 $mac $prefix)
239 $SNF_NETWORK_LOG $0 "* eui64 for $mac inside $prefix is $EUI64"
245 # DDNS related functions
247 # ommit zone statement
248 # nsupdate will attempt determine the correct zone to update based on the rest of the input
252 $SNF_NETWORK_LOG $0 "* $command"
253 nsupdate -k $KEYFILE > /dev/null << EOF
266 if [ -n "$IP" ]; then
267 command="update $action $GANETI_INSTANCE_NAME.$FZONE $TTL A $IP"
268 send_command "$command"
274 update_aaaarecord () {
278 if [ -n "$EUI64" ]; then
279 command="update $action $GANETI_INSTANCE_NAME.$FZONE $TTL AAAA $EUI64"
280 send_command "$command"
286 update_ptrrecord () {
290 if [ -n "$IP" ]; then
291 command="update $action $RLPART.$RZONE. $TTL PTR $GANETI_INSTANCE_NAME.$FZONE"
292 send_command "$command"
297 update_ptr6record () {
301 if [ -n "$EUI64" ]; then
302 command="update $action $R6LPART$R6ZONE. $TTL PTR $GANETI_INSTANCE_NAME.$FZONE"
303 send_command "$command"
311 update_arecord $action
312 update_aaaarecord $action
313 update_ptrrecord $action
314 update_ptr6record $action
319 # first argument is an eui64 (IPv6)
320 # sets GLOBAL args R6REC, R6ZONE, R6LPART
321 # lets assume eui64=2001:648:2ffc:1::1
322 # the following commands produce:
323 # R6REC=1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.c.f.f.2.8.4.6.0.1.0.0.2.ip6.arpa
324 # R6ZONE=1.0.0.0.c.f.f.2.8.4.6.0.1.0.0.2.ip6.arpa
325 # R6LPART=1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
329 if [ -z "$eui64" ]; then
330 R6REC= ; R6ZONE= ; R6LPART= ;
332 R6REC=$(host $eui64 | egrep -o '([[:alnum:]]\.){32}ip6.arpa' )
333 R6ZONE=$(echo $R6REC | awk -F. 'BEGIN{rpart="";} { for (i=32;i>16;i=i-1) rpart=$i "." rpart; } END{print rpart "ip6.arpa";}')
334 R6LPART=$(echo $R6REC | awk -F. 'BEGIN{lpart="";} { for (i=16;i>0;i=i-1) lpart=$i "." lpart; } END{print lpart;}')
340 # first argument is an ipv4
341 # sets args RZONE, RLPART
342 # lets assume IP=203.0.113.1
343 # RZONE="113.0.203.in-add.arpa"
348 if [ -z "$ip" ]; then
354 a=$1 ; b=$2; c=$3; d=$4;
356 RZONE="$c.$b.$a.in-addr.arpa"
363 # Query nameserver for entries related to the specific instance
364 # An example output is the following:
365 # www.google.com has address 173.194.113.114
366 # www.google.com has address 173.194.113.115
367 # www.google.com has address 173.194.113.116
368 # www.google.com has address 173.194.113.112
369 # www.google.com has address 173.194.113.113
370 # www.google.com has IPv6 address 2a00:1450:4001:80b::1012
373 HOSTQ="host -s -R 3 -W 3"
374 HOST_IP_ALL=$($HOSTQ $GANETI_INSTANCE_NAME.$FZONE $SERVER | sed -n 's/.*has address //p')
375 HOST_IP6_ALL=$($HOSTQ $GANETI_INSTANCE_NAME.$FZONE $SERVER | sed -n 's/.*has IPv6 address //p')