}
-
function clear_routed_setup_ipv4 {
arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
function clear_ebtables {
- ebtables -D FORWARD -i $INTERFACE -j $FROM
- ebtables -D FORWARD -o $INTERFACE -j $TO
- #ebtables -D OUTPUT -o $INTERFACE -j $TO
+ runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -i $INTERFACE -j $FROM
+ runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -o $INTERFACE -j $TO
+ #runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO
- ebtables -X $FROM
- ebtables -X $TO
+ runlocked $RUNLOCKED_OPTS ebtables -X $FROM
+ runlocked $RUNLOCKED_OPTS ebtables -X $TO
}
function routed_setup_ipv4 {
+ if [ -z "$INTERFACE" -o -z "$NETWORK_GATEWAY" -o -z "$IP" -o -z "$TABLE" ]
+ then
+ return
+ fi
+
# mangle ARPs to come from the gw's IP
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
# Enable proxy ARP
echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
+
+ # Send GARP from host to upstream router
+ get_uplink $TABLE
+ echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
+ hooks-log $0 "arping -c3 -I $UPLINK -U $IP"
+ arping -c3 -I $UPLINK -U $IP
+ echo 0 > /proc/sys/net/ipv4/ip_nonlocal_bind
+
}
function routed_setup_ipv6 {
# Add a routing entry for the eui-64
- prefix=$NETWORK_SUBNET6
- uplink=$(ip -6 route list table $TABLE | grep "default via" | awk '{print $5}')
- eui64=$($MAC2EUI64 $MAC $prefix)
+ get_uplink $TABLE "-6"
+ get_eui64 $MAC $NETWORK_SUBNET6
+ if [ -z "$EUI64" -o -z "$TABLE" -o -z "$INTERFACE" -o -z "$UPLINK" ]
+ then
+ return
+ fi
ip -6 rule add dev $INTERFACE table $TABLE
- ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
- ip -6 neigh add proxy $eui64 dev $uplink
+ ip -6 ro replace $EUI64/128 dev $INTERFACE table $TABLE
+ ip -6 neigh add proxy $EUI64 dev $UPLINK
# disable proxy NDP since we're handling this on userspace
# this should be the default, but better safe than sorry
echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
+
+ # Send Unsolicited Neighbor Advertisement
+ hooks-log $0 "ndsend $EUI64 $UPLINK"
+ ndsend $EUI64 $UPLINK
+
}
# pick a firewall profile per NIC, based on tags (and apply it)
function routed_setup_firewall {
- ifprefix="synnefo:network:$INTERFACE_INDEX:"
+ # for latest ganeti there is no need to check other but uuid
+ ifprefixindex="synnefo:network:$INTERFACE_INDEX:"
+ ifprefixname="synnefo:network:$INTERFACE_NAME:"
+ ifprefixuuid="synnefo:network:$INTERFACE_UUID:"
for tag in $TAGS; do
- case ${tag#$ifprefix} in
+ tag=${tag#$ifprefixindex}
+ tag=${tag#$ifprefixname}
+ tag=${tag#$ifprefixuuid}
+ case $tag in
protected)
chain=protected
;;
function init_ebtables {
- ebtables -N $FROM
- ebtables -A FORWARD -i $INTERFACE -j $FROM
- ebtables -N $TO
- ebtables -A FORWARD -o $INTERFACE -j $TO
+ runlocked $RUNLOCKED_OPTS ebtables -N $FROM
+ runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
+ runlocked $RUNLOCKED_OPTS ebtables -N $TO
+ runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
}
# do not allow changes in ip-mac pair
if [ -n "$IP"]; then
- ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
+ runlocked $RUNLOCKED_OPTS ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
fi
- ebtables -A $FROM -s \! $MAC -j DROP
+ runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP
#accept dhcp responses from host (nfdhcpd)
- ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
+ runlocked $RUNLOCKED_OPTS ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
# allow only packets from the same mac prefix
- ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
+ runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
}
function setup_masq {
# allow packets from/to router (for masquerading)
- # ebtables -A $TO -s $NODE_MAC -j ACCEPT
- # ebtables -A INPUT -i $INTERFACE -j $FROM
- # ebtables -A OUTPUT -o $INTERFACE -j $TO
+ # runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $NODE_MAC -j ACCEPT
+ # runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
+ # runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
return
}
}
+function get_uplink {
+
+ local table=$1
+ local version=$2
+ UPLINK=$(ip "$version" route list table "$table" | grep "default via" | awk '{print $5}')
+
+}
+
+# Because we do not have IPv6 value in our environment
+# we caclulate it based on the NIC's MAC and the IPv6 subnet (if any)
+# first argument MAC second IPv6 subnet
+# Changes global value EUI64
+get_eui64 () {
+
+ local mac=$1
+ local prefix=$2
+
+ if [ -z "$prefix" ]; then
+ EUI64=
+ else
+ EUI64=$($MAC2EUI64 $mac $prefix)
+ fi
+
+}