#!/bin/bash # This is an example of a Ganeti kvm ifup script that configures network # interfaces based on the initial deployment of the Okeanos project TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-) MAC2EUI64=/usr/bin/mac2eui64 NFDHCPD_STATE_DIR=/var/lib/nfdhcpd function clear_tap { arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1 while ip rule del dev $INTERFACE; do :; done iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null } function routed_setup_ipv4 { # mangle ARPs to come from the gw's IP arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$GATEWAY" # route interface to the proper routing table ip rule add dev $INTERFACE table $TABLE # static route mapping IP -> INTERFACE ip route replace $IP proto static dev $INTERFACE table $TABLE # Enable proxy ARP echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp } function routed_setup_ipv6 { # Add a routing entry for the eui-64 prefix=$SUBNET6 uplink=$GATEWAY6 eui64=$($MAC2EUI64 $MAC $prefix) while ip -6 rule del dev $INTERFACE; do :; done ip -6 rule add dev $INTERFACE table $TABLE ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE ip -6 neigh add proxy $eui64 dev $uplink # disable proxy NDP since we're handling this on userspace # this should be the default, but better safe than sorry echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp } # pick a firewall profile per NIC, based on tags (and apply it) function routed_setup_firewall { ifprefix="synnefo:network:$INTERFACE_INDEX:" for tag in $TAGS; do case ${tag#$ifprefix} in protected) chain=protected ;; unprotected) chain=unprotected ;; limited) chain=limited ;; esac done # Flush any old rules. We have to consider all chains, since # we are not sure the instance was on the same chain, or had the same # tap interface. for oldchain in protected unprotected limited; do iptables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null done if [ "x$chain" != "x" ]; then iptables -A FORWARD -o $INTERFACE -j $chain ip6tables -A FORWARD -o $INTERFACE -j $chain fi } function setup_nfdhcpd { umask 022 FILE=$NFDHCPD_STATE_DIR/$INTERFACE #IFACE is the interface from which the packet seems to arrive #needed in bridged mode where the packets seems to arrive from the #bridge and not from the tap cat >$FILE <> $FILE fi if [ -n "$SUBNET" ]; then echo SUBNET=$SUBNET >> $FILE fi if [ -n "$GATEWAY6" ]; then echo GATEWAY6=$GATEWAY6 >> $FILE fi if [ -n "$SUBNET6" ]; then echo SUBNET6=$SUBNET6 >> $FILE fi } function clear_ebtables { TAP=$INTERFACE FROM=FROM${TAP^^} TO=TO${TAP^^} exist=$(ebtables -L | grep $TAP) if [ ! -z "$exist" ]; then ebtables -D INPUT -i $TAP -j $FROM ebtables -D FORWARD -i $TAP -j $FROM ebtables -D FORWARD -o $TAP -j $TO ebtables -D OUTPUT -o $TAP -j $TO ebtables -X $FROM ebtables -X $TO fi } function setup_ebtables { TAP=$INTERFACE FROM=FROM${TAP^^} TO=TO${TAP^^} ebtables -N $FROM # do not allow changes in ip-mac pair ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP ebtables -A $FROM -s \! $MAC -j DROP ebtables -A FORWARD -i $TAP -j $FROM ebtables -N $TO ebtables -A FORWARD -o $TAP -j $TO #accept dhcp responses from host (nfdhcpd) ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT if [ "$TYPE" == "private" ]; then if [ ! -z "$GATEWAY" ]; then # allow packets from/to router (for masquerading ebtables -A $TO -s $ROUTER_MAC -j ACCEPT ebtables -A INPUT -i $TAP -j $FROM ebtables -A OUTPUT -o $TAP -j $TO fi # allow only packets from the same mac prefix ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP fi } DEFAULT=/etc/default/snf-network source $DEFAULT source $CONF NODEINFRAFILE=$SHAREDDIR/infra/$(hostname) if [ -e "$NODEINFRAFILE" ]; then source $NODEINFRAFILE fi NETFILE=$SHAREDDIR/networks/$NETWORK if [ -e "$NETFILE" ]; then source $NETFILE fi if [ "$MODE" = "routed" ]; then TABLE=rt_$NETWORK # special proxy-ARP/NDP routing mode clear_tap # use a constant predefined MAC address for the tap ip link set $INTERFACE addr $TAP_CONSTANT_MAC # bring the tap up ifconfig $INTERFACE 0.0.0.0 up # Drop unicast BOOTP/DHCP packets iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP routed_setup_ipv4 routed_setup_ipv6 routed_setup_firewall setup_nfdhcpd $INTERFACE clear_ebtables >/dev/null 2>&1 elif [ "$MODE" = "bridged" ]; then clear_tap clear_ebtables >/dev/null 2>&1 ifconfig $INTERFACE 0.0.0.0 up brctl addif $BRIDGE $INTERFACE setup_nfdhcpd $BRIDGE setup_ebtables fi