9 function clear_routed_setup_ipv4 {
11 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
12 while ip rule del dev $INTERFACE; do :; done
13 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
17 function clear_routed_setup_ipv6 {
19 while ip -6 rule del dev $INTERFACE; do :; done
24 function clear_routed_setup_firewall {
26 for oldchain in protected unprotected limited; do
27 iptables -D FORWARD -o $INTERFACE -j $oldchain
28 ip6tables -D FORWARD -o $INTERFACE -j $oldchain
33 function clear_ebtables {
35 runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -i $INTERFACE -j $FROM
36 runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -o $INTERFACE -j $TO
37 #runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO
39 runlocked $RUNLOCKED_OPTS ebtables -X $FROM
40 runlocked $RUNLOCKED_OPTS ebtables -X $TO
44 function clear_nfdhcpd {
46 rm $NFDHCPD_STATE_DIR/$INTERFACE
51 function routed_setup_ipv4 {
53 if [ -z "$INTERFACE" -o -z "$NETWORK_GATEWAY" -o -z "$IP" -o -z "$TABLE" ]
58 # mangle ARPs to come from the gw's IP
59 arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
61 # route interface to the proper routing table
62 ip rule add dev $INTERFACE table $TABLE
64 # static route mapping IP -> INTERFACE
65 ip route replace $IP proto static dev $INTERFACE table $TABLE
68 echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
70 # Send GARP from host to upstream router
72 echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
73 hooks-log $0 "arping -c3 -I $UPLINK -U $IP"
74 arping -c3 -I $UPLINK -U $IP
75 echo 0 > /proc/sys/net/ipv4/ip_nonlocal_bind
79 function routed_setup_ipv6 {
80 # Add a routing entry for the eui-64
81 get_uplink $TABLE "-6"
82 get_eui64 $MAC $NETWORK_SUBNET6
84 if [ -z "$EUI64" -o -z "$TABLE" -o -z "$INTERFACE" -o -z "$UPLINK" ]
89 ip -6 rule add dev $INTERFACE table $TABLE
90 ip -6 ro replace $EUI64/128 dev $INTERFACE table $TABLE
91 ip -6 neigh add proxy $EUI64 dev $UPLINK
93 # disable proxy NDP since we're handling this on userspace
94 # this should be the default, but better safe than sorry
95 echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
97 # Send Unsolicited Neighbor Advertisement
98 hooks-log $0 "ndsend $EUI64 $UPLINK"
103 # pick a firewall profile per NIC, based on tags (and apply it)
104 function routed_setup_firewall {
105 # for latest ganeti there is no need to check other but uuid
106 ifprefixindex="synnefo:network:$INTERFACE_INDEX:"
107 ifprefixname="synnefo:network:$INTERFACE_NAME:"
108 ifprefixuuid="synnefo:network:$INTERFACE_UUID:"
110 tag=${tag#$ifprefixindex}
111 tag=${tag#$ifprefixname}
112 tag=${tag#$ifprefixuuid}
126 if [ "x$chain" != "x" ]; then
127 iptables -A FORWARD -o $INTERFACE -j $chain
128 ip6tables -A FORWARD -o $INTERFACE -j $chain
132 function init_ebtables {
134 runlocked $RUNLOCKED_OPTS ebtables -N $FROM
135 runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
136 runlocked $RUNLOCKED_OPTS ebtables -N $TO
137 runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
142 function setup_ebtables {
144 # do not allow changes in ip-mac pair
146 runlocked $RUNLOCKED_OPTS ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
148 runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP
149 #accept dhcp responses from host (nfdhcpd)
150 runlocked $RUNLOCKED_OPTS ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
151 # allow only packets from the same mac prefix
152 runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
155 function setup_masq {
157 # allow packets from/to router (for masquerading)
158 # runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $NODE_MAC -j ACCEPT
159 # runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
160 # runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
165 function setup_nfdhcpd {
167 FILE=$NFDHCPD_STATE_DIR/$INTERFACE
168 #IFACE is the interface from which the packet seems to arrive
169 #needed in bridged mode where the packets seems to arrive from the
170 #bridge and not from the tap
177 GATEWAY=$NETWORK_GATEWAY
178 SUBNET=$NETWORK_SUBNET
179 GATEWAY6=$NETWORK_GATEWAY6
180 SUBNET6=$NETWORK_SUBNET6
181 EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
186 function get_uplink {
190 UPLINK=$(ip "$version" route list table "$table" | grep "default via" | awk '{print $5}')
194 # Because we do not have IPv6 value in our environment
195 # we caclulate it based on the NIC's MAC and the IPv6 subnet (if any)
196 # first argument MAC second IPv6 subnet
197 # Changes global value EUI64
203 if [ -z "$prefix" ]; then
206 EUI64=$($MAC2EUI64 $mac $prefix)