MAC2EUI64=/usr/bin/mac2eui64
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd
-function clear_tap {
-
- arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
+function clear_routed_setup_ipv4 {
+
+ arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
while ip rule del dev $INTERFACE; do :; done
- iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
+ iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
+
+}
+
+function clear_routed_setup_ipv6 {
+
+ while ip -6 rule del dev $INTERFACE; do :; done
+
+}
+
+
+function clear_routed_setup_firewall {
+ for oldchain in protected unprotected limited; do
+ iptables -D FORWARD -o $INTERFACE -j $oldchain
+ ip6tables -D FORWARD -o $INTERFACE -j $oldchain
+ done
}
+function clear_ebtables {
+ TAP=$INTERFACE
+ FROM=FROM${TAP^^}
+ TO=TO${TAP^^}
+
+ ebtables -D INPUT -i $TAP -j $FROM
+ ebtables -D FORWARD -i $TAP -j $FROM
+ ebtables -D FORWARD -o $TAP -j $TO
+ ebtables -D OUTPUT -o $TAP -j $TO
+
+ ebtables -X $FROM
+ ebtables -X $TO
+}
+
+
+
function routed_setup_ipv4 {
- # get the link's default gateway
- gw=$GATEWAY
# mangle ARPs to come from the gw's IP
- arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$gw"
+ arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$GATEWAY"
# route interface to the proper routing table
- ip rule add dev $INTERFACE table $TABLE
+ ip rule add dev $INTERFACE table $TABLE
# static route mapping IP -> INTERFACE
ip route replace $IP proto static dev $INTERFACE table $TABLE
function routed_setup_ipv6 {
# Add a routing entry for the eui-64
prefix=$SUBNET6
- uplink=$GATEWAY6
+ uplink=$PUBLIC_VLAN
eui64=$($MAC2EUI64 $MAC $prefix)
- while ip -6 rule del dev $INTERFACE; do :; done
+
ip -6 rule add dev $INTERFACE table $TABLE
ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
- ip -6 neigh add proxy $eui64 dev $uplink
+ ip -6 neigh add proxy $eui64 dev $uplink
# disable proxy NDP since we're handling this on userspace
# this should be the default, but better safe than sorry
esac
done
- # Flush any old rules. We have to consider all chains, since
- # we are not sure the instance was on the same chain, or had the same
- # tap interface.
- for oldchain in protected unprotected limited; do
- iptables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
- ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
- done
-
if [ "x$chain" != "x" ]; then
iptables -A FORWARD -o $INTERFACE -j $chain
ip6tables -A FORWARD -o $INTERFACE -j $chain
fi
}
-function setup_nfdhcpd {
- umask 022
- FILE=$NFDHCPD_STATE_DIR/$INTERFACE
- cat >$FILE <<EOF
-IFACE=$1
-IP=$IP
-MAC=$MAC
-LINK=$TABLE
-HOSTNAME=$INSTANCE
-TAGS="$TAGS"
-EOF
-if [ -n $GATEWAY ]; then
- echo GATEWAY=$GATEWAY >> $FILE
-fi
-if [ -n $SUBNET ]; then
- echo SUBNET=$SUBNET >> $FILE
-fi
-if [ -n $GATEWAY6 ]; then
- echo GATEWAY6=$GATEWAY6 >> $FILE
-fi
-if [ -n $SUBNET6 ]; then
- echo SUBNET6=$SUBNET6 >> $FILE
-fi
-
-}
-
-function clear_ebtables {
- TAP=$INTERFACE
- FROM=FROM${TAP^^}
- TO=TO${TAP^^}
-
- exist=$(ebtables -L | grep $TAP)
-
- if [ ! -z "$exist" ]; then
- ebtables -D INPUT -i $TAP -j $FROM
- ebtables -D FORWARD -i $TAP -j $FROM
- ebtables -D FORWARD -o $TAP -j $TO
- ebtables -D OUTPUT -o $TAP -j $TO
-
- ebtables -X $FROM
- ebtables -X $TO
- fi
-}
-
function setup_ebtables {
TAP=$INTERFACE
FROM=FROM${TAP^^}
ebtables -N $FROM
# do not allow changes in ip-mac pair
- ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
- ebtables -A $FROM -s \! $MAC -j DROP
- ebtables -A FORWARD -i $TAP -j $FROM
+ if [ -n "$IP"]; then
+ ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
+ fi
+ ebtables -A $FROM -s \! $MAC -j DROP
+ ebtables -A FORWARD -i $TAP -j $FROM
ebtables -N $TO
ebtables -A FORWARD -o $TAP -j $TO
#accept dhcp responses from host (nfdhcpd)
ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
- if [ $TYPE == "private" ]; then
- if [ ! -z $GATEWAY ]; then
+ if [ "$TYPE" == "private" ]; then
+ if [ ! -z "$GATEWAY" -a $ENABLE_MASQ ]; then
# allow packets from/to router (for masquerading
- ebtables -A $TO -s $ROUTER_MAC -j ACCEPT
- ebtables -A INPUT -i $TAP -j $FROM
+ ebtables -A $TO -s $ROUTER_MAC -j ACCEPT
+ ebtables -A INPUT -i $TAP -j $FROM
ebtables -A OUTPUT -o $TAP -j $TO
fi
- # allow only packets from the same mac prefix
- ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
+ # allow only packets from the same mac prefix
+ ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
fi
}
-TABLE=rt_$NETWORK
+function setup_nfdhcpd {
+ umask 022
+ FILE=$NFDHCPD_STATE_DIR/$INTERFACE
+ #IFACE is the interface from which the packet seems to arrive
+ #needed in bridged mode where the packets seems to arrive from the
+ #bridge and not from the tap
+ cat >$FILE <<EOF
+INDEV=$1
+IP=$IP
+MAC=$MAC
+HOSTNAME=$INSTANCE
+TAGS="$TAGS"
+GATEWAY=$GATEWAY
+SUBNET=$SUBNET
+GATEWAY6=$GATEWAY6
+SUBNET6=$SUBNET6
+EUI64=$($MAC2EUI64 $MAC $SUBNET6 2>/dev/null)
+EOF
+
+}
+
-source /var/lib/snf-network/networks/$NETWORK
+DEFAULT=/etc/default/snf-network
+source $DEFAULT
+source $CONF
+NODEINFRAFILE=$SHAREDDIR/infra/$(hostname)
+
+if [ -e "$NODEINFRAFILE" ]; then
+ source $NODEINFRAFILE
+fi
+
+CLUSTERINFRAFILE=$SHAREDDIR/infra/cluster
+
+if [ -e "$CLUSTERINFRAFILE" ]; then
+ source $CLUSTERINFRAFILE
+fi
+
+TABLE=rt_$NETWORK
+clear_routed_setup_ipv4 > /dev/null 2>&1
+clear_routed_setup_ipv6 > /dev/null 2>&1
+clear_routed_setup_firewall > /dev/null 2>&1
+clear_ebtables > /dev/null 2>&1
if [ "$MODE" = "routed" ]; then
- # special proxy-ARP/NDP routing mode
- clear_tap
# use a constant predefined MAC address for the tap
ip link set $INTERFACE addr $TAP_CONSTANT_MAC
# bring the tap up
# Drop unicast BOOTP/DHCP packets
iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
- routed_setup_ipv4
- routed_setup_ipv6
- routed_setup_firewall
+ routed_setup_ipv4 > /dev/null 2>&1
+ routed_setup_ipv6 > /dev/null 2>&1
+ routed_setup_firewall > /dev/null 2>&1
setup_nfdhcpd $INTERFACE
- clear_ebtables >/dev/null 2>&1
elif [ "$MODE" = "bridged" ]; then
- clear_tap
- clear_ebtables >/dev/null 2>&1
ifconfig $INTERFACE 0.0.0.0 up
brctl addif $BRIDGE $INTERFACE
setup_nfdhcpd $BRIDGE
- setup_ebtables
-fi
+ setup_ebtables > /dev/null 2>&1
+fi