MAC2EUI64=/usr/bin/mac2eui64
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd
+function clear_routed_setup_ipv4 {
+
+ arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
+ while ip rule del dev $INTERFACE; do :; done
+ iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
+
+}
+
+function clear_routed_setup_ipv6 {
+
+ while ip -6 rule del dev $INTERFACE; do :; done
+
+}
+
+
+function clear_routed_setup_firewall {
+
+ for oldchain in protected unprotected limited; do
+ iptables -D FORWARD -o $INTERFACE -j $oldchain
+ ip6tables -D FORWARD -o $INTERFACE -j $oldchain
+ done
+
+}
+
+function clear_ebtables {
+ TAP=$INTERFACE
+ FROM=FROM${TAP^^}
+ TO=TO${TAP^^}
+
+ ebtables -D INPUT -i $TAP -j $FROM
+ ebtables -D FORWARD -i $TAP -j $FROM
+ ebtables -D FORWARD -o $TAP -j $TO
+ ebtables -D OUTPUT -o $TAP -j $TO
+
+ ebtables -X $FROM
+ ebtables -X $TO
+}
+
+
+
function routed_setup_ipv4 {
- # get the link's default gateway
- gw=$(ip route list table $TABLE | sed -n 's/default via \([^ ]\+\).*/\1/p' | head -1)
# mangle ARPs to come from the gw's IP
- arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
- arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$gw"
+ arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
# route interface to the proper routing table
- while ip rule del dev $INTERFACE; do :; done
ip rule add dev $INTERFACE table $TABLE
# static route mapping IP -> INTERFACE
function routed_setup_ipv6 {
# Add a routing entry for the eui-64
- prefix=$(ip -6 route list table $TABLE | awk '/\/64/ {print $1; exit}')
- uplink=$(ip -6 route list table $TABLE | sed -n 's/default via .* dev \([^ ]\+\).*/\1/p' | head -1)
+ prefix=$NETWORK_SUBNET6
+ uplink=$PUBLIC_VLAN
eui64=$($MAC2EUI64 $MAC $prefix)
- while ip -6 rule del dev $INTERFACE; do :; done
+
ip -6 rule add dev $INTERFACE table $TABLE
ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
ip -6 neigh add proxy $eui64 dev $uplink
esac
done
- # Flush any old rules. We have to consider all chains, since
- # we are not sure the instance was on the same chain, or had the same
- # tap interface.
- for oldchain in protected unprotected limited; do
- iptables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
- ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
- done
-
if [ "x$chain" != "x" ]; then
iptables -A FORWARD -o $INTERFACE -j $chain
ip6tables -A FORWARD -o $INTERFACE -j $chain
fi
}
-function routed_setup_nfdhcpd {
- umask 022
- cat >$NFDHCPD_STATE_DIR/$INTERFACE <<EOF
-IFACE=$1
-IP=$IP
-MAC=$MAC
-LINK=$TABLE
-HOSTNAME=$INSTANCE
-TAGS="$TAGS"
-EOF
-}
-
-function make_ebtables {
+function setup_ebtables {
TAP=$INTERFACE
FROM=FROM${TAP^^}
TO=TO${TAP^^}
-
- ebtables -D INPUT -i $TAP -j $FROM
- ebtables -D FORWARD -i $TAP -j $FROM
- ebtables -D FORWARD -o $TAP -j $TO
- ebtables -D OUTPUT -o $TAP -j $TO
-
- ebtables -X $FROM
- ebtables -X $TO
ebtables -N $FROM
- ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
- ebtables -A $FROM -s \! $MAC -j DROP
- ebtables -A INPUT -i $TAP -j $FROM
- ebtables -A FORWARD -i $TAP -j $FROM
+ # do not allow changes in ip-mac pair
+ if [ -n "$IP"]; then
+ ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
+ fi
+ ebtables -A $FROM -s \! $MAC -j DROP
+ ebtables -A FORWARD -i $TAP -j $FROM
ebtables -N $TO
ebtables -A FORWARD -o $TAP -j $TO
+ #accept dhcp responses from host (nfdhcpd)
+ ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
+ # allow only packets from the same mac prefix
+ ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
+}
+
+function setup_masq {
+ TAP=$INTERFACE
+ FROM=FROM${TAP^^}
+ TO=TO${TAP^^}
+
+ # allow packets from/to router (for masquerading)
+ ebtables -A $TO -s $PUBLIC_MAC -j ACCEPT
+ ebtables -A INPUT -i $TAP -j $FROM
ebtables -A OUTPUT -o $TAP -j $TO
- if [ $TYPE == "private" ]; then
- ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
- if [ ! -z $GATEWAY ]; then
- ebtables -A $TO -s $ROUTER_MAC -j ACCEPT
- fi
- fi
}
-#FIXME: import router mac from the config files
-# must know node group!! how???
-ROUTER_MAC=6e:10:e1:a0:c3:0f
-MAC_MASK=ff:ff:ff:0:0:0
+function setup_nfdhcpd {
+ umask 022
+ FILE=$NFDHCPD_STATE_DIR/$INTERFACE
+ #IFACE is the interface from which the packet seems to arrive
+ #needed in bridged mode where the packets seems to arrive from the
+ #bridge and not from the tap
+ cat >$FILE <<EOF
+INDEV=$INDEV
+IP=$IP
+MAC=$MAC
+HOSTNAME=$INSTANCE
+TAGS="$TAGS"
+GATEWAY=$NETWORK_GATEWAY
+SUBNET=$NETWORK_SUBNET
+GATEWAY6=$NETWORK_GATEWAY6
+SUBNET6=$NETWORK_SUBNET6
+EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
+EOF
+
+}
-TABLE=rt_$NETWORK
-source /var/lib/snf-network/networks/$NETWORK
+DEFAULT=/etc/default/snf-network
+source $DEFAULT
+source $CONF
+INFRA=$STATE_DIR/infra
-if [ "$MODE" = "routed" ]; then
- # special proxy-ARP/NDP routing mode
+source $INFRA
- # use a constant predefined MAC address for the tap
- ip link set $INTERFACE addr $TAP_CONSTANT_MAC
- # bring the tap up
- ifconfig $INTERFACE 0.0.0.0 up
+log-env
- # Drop unicast BOOTP/DHCP packets
- iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
- iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
+clear_routed_setup_ipv4 > /dev/null 2>&1
+clear_routed_setup_ipv6 > /dev/null 2>&1
+clear_routed_setup_firewall > /dev/null 2>&1
+clear_ebtables > /dev/null 2>&1
- routed_setup_ipv4
- routed_setup_ipv6
- routed_setup_firewall
- routed_setup_nfdhcpd $INTERFACE
+if [ "$MODE" = "routed" ]; then
+ TABLE=$LINK
+ ip link set $INTERFACE addr $TAP_CONSTANT_MAC up
+ INDEV=$INTERFACE
elif [ "$MODE" = "bridged" ]; then
- while ip rule del dev $INTERFACE; do :; done
- ifconfig $INTERFACE 0.0.0.0 up
- brctl addif $BRIDGE $INTERFACE
- routed_setup_nfdhcpd $BRIDGE
- make_ebtables
-fi
+ ip link set $INTERFACE up
+ brctl addif $BRIDGE $INTERFACE
+ INDEV=$BRIDGE
+fi
+
+
+for tag in $NETWORK_TAGS; do
+ case $tag in
+ ip-less-routed)
+ routed_setup_ipv4 > /dev/null 2>&1
+ routed_setup_ipv6 > /dev/null 2>&1
+ routed_setup_firewall > /dev/null 2>&1
+ ;;
+ nfdhcpd)
+ # Drop unicast BOOTP/DHCP packets
+ iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
+ setup_nfdhcpd > /dev/null 2>&1
+ ;;
+ mac-filtered)
+ setup_ebtables > /dev/null 2>&1
+ ;;
+ masq)
+ setup_masq > /dev/null 2>&1
+ ;;
+ esac
+done
+
projects / snf-network / blobdiff