9 function clear_routed_setup_ipv4 {
11 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
12 while ip rule del dev $INTERFACE; do :; done
13 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
17 function clear_routed_setup_ipv6 {
19 while ip -6 rule del dev $INTERFACE; do :; done
24 function clear_routed_setup_firewall {
26 for oldchain in protected unprotected limited; do
27 iptables -D FORWARD -o $INTERFACE -j $oldchain
28 ip6tables -D FORWARD -o $INTERFACE -j $oldchain
33 function clear_ebtables {
35 runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -i $INTERFACE -j $FROM
36 runlocked $RUNLOCKED_OPTS ebtables -D INPUT -i $INTERFACE -j $FROM
37 runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -o $INTERFACE -j $TO
38 runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO
40 runlocked $RUNLOCKED_OPTS ebtables -X $FROM
41 runlocked $RUNLOCKED_OPTS ebtables -X $TO
45 function clear_nfdhcpd {
47 rm $NFDHCPD_STATE_DIR/$INTERFACE
52 function routed_setup_ipv4 {
54 if [ -z "$INTERFACE" -o -z "$NETWORK_GATEWAY" -o -z "$IP" -o -z "$TABLE" ]
59 # mangle ARPs to come from the gw's IP
60 arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
62 # route interface to the proper routing table
63 ip rule add dev $INTERFACE table $TABLE
65 # static route mapping IP -> INTERFACE
66 ip route replace $IP proto static dev $INTERFACE table $TABLE
69 echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
71 # Send GARP from host to upstream router
73 echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
74 $SNF_NETWORK_LOG $0 "arping -c3 -I $UPLINK -U $IP"
75 arping -c3 -I $UPLINK -U $IP
76 echo 0 > /proc/sys/net/ipv4/ip_nonlocal_bind
80 function routed_setup_ipv6 {
81 # Add a routing entry for the eui-64
82 get_uplink $TABLE "-6"
83 get_eui64 $MAC $NETWORK_SUBNET6
85 if [ -z "$EUI64" -o -z "$TABLE" -o -z "$INTERFACE" -o -z "$UPLINK" ]
90 ip -6 rule add dev $INTERFACE table $TABLE
91 ip -6 ro replace $EUI64/128 dev $INTERFACE table $TABLE
92 ip -6 neigh add proxy $EUI64 dev $UPLINK
94 # disable proxy NDP since we're handling this on userspace
95 # this should be the default, but better safe than sorry
96 echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
98 # Send Unsolicited Neighbor Advertisement
99 $SNF_NETWORK_LOG $0 "ndsend $EUI64 $UPLINK"
100 ndsend $EUI64 $UPLINK
104 # pick a firewall profile per NIC, based on tags (and apply it)
105 function routed_setup_firewall {
106 # for latest ganeti there is no need to check other but uuid
107 ifprefixindex="synnefo:network:$INTERFACE_INDEX:"
108 ifprefixname="synnefo:network:$INTERFACE_NAME:"
109 ifprefixuuid="synnefo:network:$INTERFACE_UUID:"
111 tag=${tag#$ifprefixindex}
112 tag=${tag#$ifprefixname}
113 tag=${tag#$ifprefixuuid}
127 if [ "x$chain" != "x" ]; then
128 iptables -A FORWARD -o $INTERFACE -j $chain
129 ip6tables -A FORWARD -o $INTERFACE -j $chain
133 function init_ebtables {
135 runlocked $RUNLOCKED_OPTS ebtables -N $FROM -P RETURN
136 runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
137 # This is needed for multicast packets
138 runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
140 runlocked $RUNLOCKED_OPTS ebtables -N $TO -P RETURN
141 runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
142 # This is needed for multicast packets
143 runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
148 function setup_ebtables {
150 # do not allow changes in ip-mac pair
151 if [ -n "$IP" ]; then
152 :; # runlocked $RUNLOCKED_OPTS ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
154 runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP
155 # accept dhcp responses from host (nfdhcpd)
156 # this is actually not needed because nfdhcpd opens a socket and binds is with
157 # tap interface so dhcp response does not go through bridge
158 # runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $INDEV_MAC -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
159 # allow only packets from the same mac prefix
160 runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
163 function setup_masq {
165 # allow packets from/to router (for masquerading)
166 # runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $NODE_MAC -j ACCEPT
167 # runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
168 # runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
173 function setup_nfdhcpd {
175 FILE=$NFDHCPD_STATE_DIR/$INTERFACE
176 #IFACE is the interface from which the packet seems to arrive
177 #needed in bridged mode where the packets seems to arrive from the
178 #bridge and not from the tap
185 GATEWAY=$NETWORK_GATEWAY
186 SUBNET=$NETWORK_SUBNET
187 GATEWAY6=$NETWORK_GATEWAY6
188 SUBNET6=$NETWORK_SUBNET6
189 EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
194 function get_uplink {
198 UPLINK=$(ip "$version" route list table "$table" | grep "default via" | awk '{print $5}')
202 # Because we do not have IPv6 value in our environment
203 # we caclulate it based on the NIC's MAC and the IPv6 subnet (if any)
204 # first argument MAC second IPv6 subnet
205 # Changes global value EUI64
211 if [ -z "$prefix" ]; then
214 EUI64=$($MAC2EUI64 $mac $prefix)
220 # DDNS related functions
222 # ommit zone statement
223 # nsupdate will attempt determine the correct zone to update based on the rest of the input
227 $SNF_NETWORK_LOG dnshook "$command"
228 nsupdate -k $KEYFILE > /dev/null << EOF
241 if [ -n "$IP" ]; then
242 command="update $action $GANETI_INSTANCE_NAME.$FZONE $TTL A $IP"
243 send_command "$command"
249 update_aaaarecord () {
253 if [ -n "$EUI64" ]; then
254 command="update $action $GANETI_INSTANCE_NAME.$FZONE $TTL AAAA $EUI64"
255 send_command "$command"
261 update_ptrrecord () {
265 if [ -n "$IP" ]; then
266 command="update $action $RLPART.$RZONE. $TTL PTR $GANETI_INSTANCE_NAME.$FZONE"
267 send_command "$command"
272 update_ptr6record () {
276 if [ -n "$EUI64" ]; then
277 command="update $action $R6LPART$R6ZONE. $TTL PTR $GANETI_INSTANCE_NAME.$FZONE"
278 send_command "$command"
286 update_arecord $action
287 update_aaaarecord $action
288 update_ptrrecord $action
289 update_ptr6record $action
294 # first argument is an eui64 (IPv6)
295 # sets GLOBAL args R6REC, R6ZONE, R6LPART
296 # lets assume eui64=2001:648:2ffc:1::1
297 # the following commands produce:
298 # R6REC=1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.c.f.f.2.8.4.6.0.1.0.0.2.ip6.arpa
299 # R6ZONE=1.0.0.0.c.f.f.2.8.4.6.0.1.0.0.2.ip6.arpa
300 # R6LPART=1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
304 if [ -z "$eui64" ]; then
305 R6REC= ; R6ZONE= ; R6LPART= ;
307 R6REC=$(host $eui64 | egrep -o '([[:alnum:]]\.){32}ip6.arpa' )
308 R6ZONE=$(echo $R6REC | awk -F. 'BEGIN{rpart="";} { for (i=32;i>16;i=i-1) rpart=$i "." rpart; } END{print rpart "ip6.arpa";}')
309 R6LPART=$(echo $R6REC | awk -F. 'BEGIN{lpart="";} { for (i=16;i>0;i=i-1) lpart=$i "." lpart; } END{print lpart;}')
315 # first argument is an ipv4
316 # sets args RZONE, RLPART
317 # lets assume IP=203.0.113.1
318 # RZONE="113.0.203.in-add.arpa"
323 if [ -z "$ip" ]; then
329 a=$1 ; b=$2; c=$3; d=$4;
331 RZONE="$c.$b.$a.in-addr.arpa"
338 # Query nameserver for entries related to the specific instance
339 # An example output is the following:
340 # www.google.com has address 173.194.113.114
341 # www.google.com has address 173.194.113.115
342 # www.google.com has address 173.194.113.116
343 # www.google.com has address 173.194.113.112
344 # www.google.com has address 173.194.113.113
345 # www.google.com has IPv6 address 2a00:1450:4001:80b::1012
348 HOSTQ="host -s -R 3 -W 3"
349 HOST_IP_ALL=$($HOSTQ $GANETI_INSTANCE_NAME.$FZONE $SERVER | sed -n 's/.*has address //p')
350 HOST_IP6_ALL=$($HOSTQ $GANETI_INSTANCE_NAME.$FZONE $SERVER | sed -n 's/.*has IPv6 address //p')
projects / snf-network / blob