MAC2EUI64=/usr/bin/mac2eui64
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd
+function clear_routed_setup_ipv4 {
+ arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
+ while ip rule del dev $INTERFACE; do :; done
+ iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
-function clear_tap {
+}
- arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
- while ip rule del dev $INTERFACE; do :; done
- iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
+function clear_routed_setup_ipv6 {
+ while ip -6 rule del dev $INTERFACE; do :; done
}
+
+function clear_routed_setup_firewall {
+
+ for oldchain in protected unprotected limited; do
+ iptables -D FORWARD -o $INTERFACE -j $oldchain
+ ip6tables -D FORWARD -o $INTERFACE -j $oldchain
+ done
+
+}
+
+function clear_ebtables {
+ TAP=$INTERFACE
+ FROM=FROM${TAP^^}
+ TO=TO${TAP^^}
+
+ ebtables -D INPUT -i $TAP -j $FROM
+ ebtables -D FORWARD -i $TAP -j $FROM
+ ebtables -D FORWARD -o $TAP -j $TO
+ ebtables -D OUTPUT -o $TAP -j $TO
+
+ ebtables -X $FROM
+ ebtables -X $TO
+}
+
+
+
function routed_setup_ipv4 {
# mangle ARPs to come from the gw's IP
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$GATEWAY"
# route interface to the proper routing table
- ip rule add dev $INTERFACE table $TABLE
+ ip rule add dev $INTERFACE table $TABLE
# static route mapping IP -> INTERFACE
ip route replace $IP proto static dev $INTERFACE table $TABLE
function routed_setup_ipv6 {
# Add a routing entry for the eui-64
prefix=$SUBNET6
- uplink=$GATEWAY6
+ uplink=$PUBLIC_VLAN
eui64=$($MAC2EUI64 $MAC $prefix)
- while ip -6 rule del dev $INTERFACE; do :; done
+
ip -6 rule add dev $INTERFACE table $TABLE
ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
- ip -6 neigh add proxy $eui64 dev $uplink
+ ip -6 neigh add proxy $eui64 dev $uplink
# disable proxy NDP since we're handling this on userspace
# this should be the default, but better safe than sorry
esac
done
- # Flush any old rules. We have to consider all chains, since
- # we are not sure the instance was on the same chain, or had the same
- # tap interface.
- for oldchain in protected unprotected limited; do
- iptables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
- ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
- done
-
if [ "x$chain" != "x" ]; then
iptables -A FORWARD -o $INTERFACE -j $chain
ip6tables -A FORWARD -o $INTERFACE -j $chain
fi
}
-function setup_nfdhcpd {
- umask 022
- FILE=$NFDHCPD_STATE_DIR/$INTERFACE
- #IFACE is the interface from which the packet seems to arrive
- #needed in bridged mode where the packets seems to arrive from the
- #bridge and not from the tap
- cat >$FILE <<EOF
-IFACE=$1
-IP=$IP
-MAC=$MAC
-HOSTNAME=$INSTANCE
-TAGS="$TAGS"
-EOF
-if [ -n "$GATEWAY" ]; then
- echo GATEWAY=$GATEWAY >> $FILE
-fi
-if [ -n "$SUBNET" ]; then
- echo SUBNET=$SUBNET >> $FILE
-fi
-if [ -n "$GATEWAY6" ]; then
- echo GATEWAY6=$GATEWAY6 >> $FILE
-fi
-if [ -n "$SUBNET6" ]; then
- echo SUBNET6=$SUBNET6 >> $FILE
-fi
-
-}
-
-function clear_ebtables {
- TAP=$INTERFACE
- FROM=FROM${TAP^^}
- TO=TO${TAP^^}
-
- exist=$(ebtables -L | grep $TAP)
-
- if [ ! -z "$exist" ]; then
- ebtables -D INPUT -i $TAP -j $FROM
- ebtables -D FORWARD -i $TAP -j $FROM
- ebtables -D FORWARD -o $TAP -j $TO
- ebtables -D OUTPUT -o $TAP -j $TO
-
- ebtables -X $FROM
- ebtables -X $TO
- fi
-}
-
function setup_ebtables {
TAP=$INTERFACE
FROM=FROM${TAP^^}
ebtables -N $FROM
# do not allow changes in ip-mac pair
- ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
+ if [ -n "$IP"]; then
+ ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
+ fi
ebtables -A $FROM -s \! $MAC -j DROP
ebtables -A FORWARD -i $TAP -j $FROM
ebtables -N $TO
}
+function setup_nfdhcpd {
+ umask 022
+ FILE=$NFDHCPD_STATE_DIR/$INTERFACE
+ #IFACE is the interface from which the packet seems to arrive
+ #needed in bridged mode where the packets seems to arrive from the
+ #bridge and not from the tap
+ cat >$FILE <<EOF
+INDEV=$1
+IP=$IP
+MAC=$MAC
+HOSTNAME=$INSTANCE
+TAGS="$TAGS"
+GATEWAY=$GATEWAY
+SUBNET=$SUBNET
+GATEWAY6=$GATEWAY6
+SUBNET6=$SUBNET6
+EUI64=$($MAC2EUI64 $MAC $SUBNET6 2>/dev/null)
+EOF
+
+}
+
DEFAULT=/etc/default/snf-network
source $DEFAULT
source $CLUSTERINFRAFILE
fi
-NETFILE=$SHAREDDIR/networks/$NETWORK
-
-if [ -e "$NETFILE" ]; then
- source $NETFILE
-fi
+TABLE=rt_$NETWORK
+clear_routed_setup_ipv4 > /dev/null 2>&1
+clear_routed_setup_ipv6 > /dev/null 2>&1
+clear_routed_setup_firewall > /dev/null 2>&1
+clear_ebtables > /dev/null 2>&1
if [ "$MODE" = "routed" ]; then
- TABLE=rt_$NETWORK
- # special proxy-ARP/NDP routing mode
- clear_tap
# use a constant predefined MAC address for the tap
ip link set $INTERFACE addr $TAP_CONSTANT_MAC
# bring the tap up
# Drop unicast BOOTP/DHCP packets
iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
- routed_setup_ipv4
- routed_setup_ipv6
- routed_setup_firewall
+ routed_setup_ipv4 > /dev/null 2>&1
+ routed_setup_ipv6 > /dev/null 2>&1
+ routed_setup_firewall > /dev/null 2>&1
setup_nfdhcpd $INTERFACE
- clear_ebtables >/dev/null 2>&1
elif [ "$MODE" = "bridged" ]; then
- clear_tap
- clear_ebtables >/dev/null 2>&1
ifconfig $INTERFACE 0.0.0.0 up
brctl addif $BRIDGE $INTERFACE
setup_nfdhcpd $BRIDGE
- setup_ebtables
+ setup_ebtables > /dev/null 2>&1
fi
projects / snf-network / blobdiff