}
function clear_ebtables {
- TAP=$INTERFACE
- FROM=FROM${TAP^^}
- TO=TO${TAP^^}
- ebtables -D INPUT -i $TAP -j $FROM
ebtables -D FORWARD -i $TAP -j $FROM
ebtables -D FORWARD -o $TAP -j $TO
- ebtables -D OUTPUT -o $TAP -j $TO
+ #ebtables -D OUTPUT -o $TAP -j $TO
ebtables -X $FROM
ebtables -X $TO
function routed_setup_ipv4 {
# mangle ARPs to come from the gw's IP
- arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$GATEWAY"
+ arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
# route interface to the proper routing table
- ip rule add dev $INTERFACE table $TABLE
+ ip rule add dev $INTERFACE table $TABLE
# static route mapping IP -> INTERFACE
ip route replace $IP proto static dev $INTERFACE table $TABLE
function routed_setup_ipv6 {
# Add a routing entry for the eui-64
- prefix=$SUBNET6
+ prefix=$NETWORK_SUBNET6
uplink=$PUBLIC_VLAN
eui64=$($MAC2EUI64 $MAC $prefix)
-
+
ip -6 rule add dev $INTERFACE table $TABLE
ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
- ip -6 neigh add proxy $eui64 dev $uplink
+ ip -6 neigh add proxy $eui64 dev $uplink
# disable proxy NDP since we're handling this on userspace
# this should be the default, but better safe than sorry
fi
}
-function setup_ebtables {
- TAP=$INTERFACE
- FROM=FROM${TAP^^}
- TO=TO${TAP^^}
+function init_ebtables {
ebtables -N $FROM
+ ebtables -A FORWARD -i $TAP -j $FROM
+ ebtables -N $TO
+ ebtables -A FORWARD -o $TAP -j $TO
+
+}
+
+
+function setup_ebtables {
+
# do not allow changes in ip-mac pair
if [ -n "$IP"]; then
ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
fi
ebtables -A $FROM -s \! $MAC -j DROP
- ebtables -A FORWARD -i $TAP -j $FROM
- ebtables -N $TO
- ebtables -A FORWARD -o $TAP -j $TO
#accept dhcp responses from host (nfdhcpd)
ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
# allow only packets from the same mac prefix
ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
- if [ $ENABLE_MASQ -a -n "$GATEWAY" ]; then
- # allow packets from/to router (for masquerading)
- ebtables -A $TO -s $PUBLIC_MAC -j ACCEPT
- ebtables -A INPUT -i $TAP -j $FROM
- ebtables -A OUTPUT -o $TAP -j $TO
- fi
}
+function setup_masq {
+
+ # allow packets from/to router (for masquerading)
+ # ebtables -A $TO -s $PUBLIC_MAC -j ACCEPT
+ # ebtables -A INPUT -i $TAP -j $FROM
+ # ebtables -A OUTPUT -o $TAP -j $TO
+ return
+
+}
function setup_nfdhcpd {
umask 022
#needed in bridged mode where the packets seems to arrive from the
#bridge and not from the tap
cat >$FILE <<EOF
-INDEV=$1
+INDEV=$INDEV
IP=$IP
MAC=$MAC
HOSTNAME=$INSTANCE
TAGS="$TAGS"
-GATEWAY=$GATEWAY
-SUBNET=$SUBNET
-GATEWAY6=$GATEWAY6
-SUBNET6=$SUBNET6
-EUI64=$($MAC2EUI64 $MAC $SUBNET6 2>/dev/null)
+GATEWAY=$NETWORK_GATEWAY
+SUBNET=$NETWORK_SUBNET
+GATEWAY6=$NETWORK_GATEWAY6
+SUBNET6=$NETWORK_SUBNET6
+EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
EOF
}
source $INFRA
+log-env
+
+TAP=$INTERFACE
+FROM=FROM${TAP^^}
+TO=TO${TAP^^}
clear_routed_setup_ipv4 > /dev/null 2>&1
clear_routed_setup_ipv6 > /dev/null 2>&1
if [ "$MODE" = "routed" ]; then
TABLE=$LINK
- # use a constant predefined MAC address for the tap
- ip link set $INTERFACE addr $TAP_CONSTANT_MAC
- # bring the tap up
- ifconfig $INTERFACE 0.0.0.0 up
-
- # Drop unicast BOOTP/DHCP packets
- iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
-
- routed_setup_ipv4 > /dev/null 2>&1
- routed_setup_ipv6 > /dev/null 2>&1
- routed_setup_firewall > /dev/null 2>&1
- setup_nfdhcpd $INTERFACE
+ ip link set $INTERFACE addr $TAP_CONSTANT_MAC up
+ INDEV=$INTERFACE
+ DROPDHCPREQCMD="iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP"
elif [ "$MODE" = "bridged" ]; then
- ifconfig $INTERFACE 0.0.0.0 up
- brctl addif $BRIDGE $INTERFACE
- setup_nfdhcpd $BRIDGE
- if [ $ENABLE_EBTABLES -a "$TYPE" = "private" ]; then
- setup_ebtables > /dev/null 2>&1
- fi
+ ip link set $INTERFACE up
+ brctl addif $BRIDGE $INTERFACE
+ INDEV=$BRIDGE
+ init_ebtables > /dev/null 2>&1
+ DROPDHCPREQCMD="ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"
fi
+
+
+for tag in $NETWORK_TAGS; do
+ case $tag in
+ ip-less-routed)
+ routed_setup_ipv4 > /dev/null 2>&1
+ routed_setup_ipv6 > /dev/null 2>&1
+ routed_setup_firewall > /dev/null 2>&1
+ ;;
+ nfdhcpd)
+ # Drop unicast BOOTP/DHCP packets
+ $DROPDHCPREQCMD > /dev/null 2>&1
+ setup_nfdhcpd > /dev/null 2>&1
+ ;;
+ mac-filtered)
+ setup_ebtables > /dev/null 2>&1
+ ;;
+ masq)
+ setup_masq > /dev/null 2>&1
+ ;;
+ esac
+done
+