3 # This is an example of a Ganeti kvm ifup script that configures network
4 # interfaces based on the initial deployment of the Okeanos project
6 TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-)
7 MAC2EUI64=/usr/bin/mac2eui64
8 NFDHCPD_STATE_DIR=/var/lib/nfdhcpd
14 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
15 while ip rule del dev $INTERFACE; do :; done
16 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
21 function routed_setup_ipv4 {
23 # mangle ARPs to come from the gw's IP
24 arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$GATEWAY"
26 # route interface to the proper routing table
27 ip rule add dev $INTERFACE table $TABLE
29 # static route mapping IP -> INTERFACE
30 ip route replace $IP proto static dev $INTERFACE table $TABLE
33 echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
36 function routed_setup_ipv6 {
37 # Add a routing entry for the eui-64
40 eui64=$($MAC2EUI64 $MAC $prefix)
42 while ip -6 rule del dev $INTERFACE; do :; done
43 ip -6 rule add dev $INTERFACE table $TABLE
44 ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
45 ip -6 neigh add proxy $eui64 dev $uplink
47 # disable proxy NDP since we're handling this on userspace
48 # this should be the default, but better safe than sorry
49 echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
52 # pick a firewall profile per NIC, based on tags (and apply it)
53 function routed_setup_firewall {
54 ifprefix="synnefo:network:$INTERFACE_INDEX:"
56 case ${tag#$ifprefix} in
69 # Flush any old rules. We have to consider all chains, since
70 # we are not sure the instance was on the same chain, or had the same
72 for oldchain in protected unprotected limited; do
73 iptables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
74 ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
77 if [ "x$chain" != "x" ]; then
78 iptables -A FORWARD -o $INTERFACE -j $chain
79 ip6tables -A FORWARD -o $INTERFACE -j $chain
83 function setup_nfdhcpd {
85 FILE=$NFDHCPD_STATE_DIR/$INTERFACE
86 #IFACE is the interface from which the packet seems to arrive
87 #needed in bridged mode where the packets seems to arrive from the
88 #bridge and not from the tap
96 if [ -n "$GATEWAY" ]; then
97 echo GATEWAY=$GATEWAY >> $FILE
99 if [ -n "$SUBNET" ]; then
100 echo SUBNET=$SUBNET >> $FILE
102 if [ -n "$GATEWAY6" ]; then
103 echo GATEWAY6=$GATEWAY6 >> $FILE
105 if [ -n "$SUBNET6" ]; then
106 echo SUBNET6=$SUBNET6 >> $FILE
111 function clear_ebtables {
116 exist=$(ebtables -L | grep $TAP)
118 if [ ! -z "$exist" ]; then
119 ebtables -D INPUT -i $TAP -j $FROM
120 ebtables -D FORWARD -i $TAP -j $FROM
121 ebtables -D FORWARD -o $TAP -j $TO
122 ebtables -D OUTPUT -o $TAP -j $TO
129 function setup_ebtables {
135 # do not allow changes in ip-mac pair
136 ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
137 ebtables -A $FROM -s \! $MAC -j DROP
138 ebtables -A FORWARD -i $TAP -j $FROM
140 ebtables -A FORWARD -o $TAP -j $TO
141 #accept dhcp responses from host (nfdhcpd)
142 ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
143 if [ "$TYPE" == "private" ]; then
144 if [ ! -z "$GATEWAY" -a $ENABLE_MASQ ]; then
145 # allow packets from/to router (for masquerading
146 ebtables -A $TO -s $ROUTER_MAC -j ACCEPT
147 ebtables -A INPUT -i $TAP -j $FROM
148 ebtables -A OUTPUT -o $TAP -j $TO
150 # allow only packets from the same mac prefix
151 ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
157 DEFAULT=/etc/default/snf-network
161 NODEINFRAFILE=$SHAREDDIR/infra/$(hostname)
163 if [ -e "$NODEINFRAFILE" ]; then
164 source $NODEINFRAFILE
167 CLUSTERINFRAFILE=$SHAREDDIR/infra/cluster
169 if [ -e "$CLUSTERINFRAFILE" ]; then
170 source $CLUSTERINFRAFILE
173 NETFILE=$SHAREDDIR/networks/$NETWORK
175 if [ -e "$NETFILE" ]; then
179 if [ "$MODE" = "routed" ]; then
181 # special proxy-ARP/NDP routing mode
183 # use a constant predefined MAC address for the tap
184 ip link set $INTERFACE addr $TAP_CONSTANT_MAC
186 ifconfig $INTERFACE 0.0.0.0 up
188 # Drop unicast BOOTP/DHCP packets
189 iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
193 routed_setup_firewall
194 setup_nfdhcpd $INTERFACE
195 clear_ebtables >/dev/null 2>&1
196 elif [ "$MODE" = "bridged" ]; then
198 clear_ebtables >/dev/null 2>&1
199 ifconfig $INTERFACE 0.0.0.0 up
200 brctl addif $BRIDGE $INTERFACE
201 setup_nfdhcpd $BRIDGE