Automate config via hooks

[snf-network] / kvm-vif-bridge

#!/bin/bash

# This is an example of a Ganeti kvm ifup script that configures network
# interfaces based on the initial deployment of the Okeanos project

TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-)
MAC2EUI64=/usr/bin/mac2eui64
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd



function clear_tap {

 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
 while ip rule del dev $INTERFACE; do :; done
 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null


}

function routed_setup_ipv4 {

        # mangle ARPs to come from the gw's IP
        arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s    "$GATEWAY"

        # route interface to the proper routing table
        ip rule add dev $INTERFACE table $TABLE

        # static route mapping IP -> INTERFACE
        ip route replace $IP proto static dev $INTERFACE table $TABLE

        # Enable proxy ARP
        echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
}

function routed_setup_ipv6 {
        # Add a routing entry for the eui-64
        prefix=$SUBNET6
        uplink=$GATEWAY6
        eui64=$($MAC2EUI64 $MAC $prefix)

        while ip -6 rule del dev $INTERFACE; do :; done
        ip -6 rule add dev $INTERFACE table $TABLE
        ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
        ip -6 neigh add proxy $eui64 dev $uplink

        # disable proxy NDP since we're handling this on userspace
        # this should be the default, but better safe than sorry
        echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
}

# pick a firewall profile per NIC, based on tags (and apply it)
function routed_setup_firewall {
        ifprefix="synnefo:network:$INTERFACE_INDEX:"
        for tag in $TAGS; do
                case ${tag#$ifprefix} in
                protected)
                        chain=protected
                ;;
                unprotected)
                        chain=unprotected
                ;;
                limited)
                        chain=limited
                ;;
                esac
        done

        # Flush any old rules. We have to consider all chains, since
        # we are not sure the instance was on the same chain, or had the same
        # tap interface.
        for oldchain in protected unprotected limited; do
                iptables  -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
                ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
        done

        if [ "x$chain" != "x" ]; then
                iptables  -A FORWARD -o $INTERFACE -j $chain
                ip6tables -A FORWARD -o $INTERFACE -j $chain
        fi
}

function setup_nfdhcpd {
        umask 022
  FILE=$NFDHCPD_STATE_DIR/$INTERFACE
  #IFACE is the interface from which the packet seems to arrive
  #needed in bridged mode where the packets seems to arrive from the
  #bridge and not from the tap
        cat >$FILE <<EOF
IFACE=$1
IP=$IP
MAC=$MAC
HOSTNAME=$INSTANCE
TAGS="$TAGS"
EOF
if [ -n "$GATEWAY" ]; then
 echo GATEWAY=$GATEWAY >> $FILE
fi
if [ -n "$SUBNET" ]; then
 echo SUBNET=$SUBNET >> $FILE
fi
if [ -n "$GATEWAY6" ]; then
 echo GATEWAY6=$GATEWAY6 >> $FILE
fi
if [ -n "$SUBNET6" ]; then
 echo SUBNET6=$SUBNET6 >> $FILE
fi

}

function clear_ebtables {
  TAP=$INTERFACE
  FROM=FROM${TAP^^}
  TO=TO${TAP^^}

  exist=$(ebtables -L | grep $TAP)

  if [ ! -z "$exist" ]; then
    ebtables -D INPUT -i $TAP -j $FROM
    ebtables -D FORWARD -i $TAP -j $FROM
    ebtables -D FORWARD -o $TAP -j $TO
    ebtables -D OUTPUT -o $TAP -j $TO

    ebtables -X $FROM
    ebtables -X $TO
  fi
}

function setup_ebtables {
  TAP=$INTERFACE
  FROM=FROM${TAP^^}
  TO=TO${TAP^^}

  ebtables -N $FROM
  # do not allow changes in ip-mac pair
  ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
  ebtables -A $FROM -s \! $MAC -j DROP
  ebtables -A FORWARD -i $TAP -j $FROM
  ebtables -N $TO
  ebtables -A FORWARD -o $TAP -j $TO
  #accept dhcp responses from host (nfdhcpd)
  ebtables -A $TO -p ipv4 --ip-protocol=udp  --ip-destination-port=68 -j ACCEPT
  if [ "$TYPE" == "private" ]; then
    if [ ! -z "$GATEWAY" -a $ENABLE_MASQ ]; then
      # allow packets from/to router (for masquerading
      ebtables -A $TO -s $ROUTER_MAC -j ACCEPT
      ebtables -A INPUT -i $TAP -j $FROM
      ebtables -A OUTPUT -o $TAP -j $TO
    fi
    # allow only packets from the same mac prefix
    ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
  fi
}



DEFAULT=/etc/default/snf-network
source $DEFAULT
source $CONF

NODEINFRAFILE=$SHAREDDIR/infra/$(hostname)

if [ -e "$NODEINFRAFILE" ]; then
  source $NODEINFRAFILE
fi

CLUSTERINFRAFILE=$SHAREDDIR/infra/cluster

if [ -e "$CLUSTERINFRAFILE" ]; then
  source $CLUSTERINFRAFILE
fi

NETFILE=$SHAREDDIR/networks/$NETWORK

if [ -e "$NETFILE" ]; then
  source $NETFILE
fi

if [ "$MODE" = "routed" ]; then
  TABLE=rt_$NETWORK
        # special proxy-ARP/NDP routing mode
  clear_tap
        # use a constant predefined MAC address for the tap
        ip link set $INTERFACE addr $TAP_CONSTANT_MAC
        # bring the tap up
        ifconfig $INTERFACE 0.0.0.0 up

        # Drop unicast BOOTP/DHCP packets
        iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP

        routed_setup_ipv4
        routed_setup_ipv6
        routed_setup_firewall
        setup_nfdhcpd $INTERFACE
  clear_ebtables >/dev/null 2>&1
elif [ "$MODE" = "bridged" ]; then
  clear_tap
  clear_ebtables >/dev/null 2>&1
        ifconfig $INTERFACE 0.0.0.0 up
        brctl addif $BRIDGE $INTERFACE
        setup_nfdhcpd $BRIDGE
  setup_ebtables
fi