X-Git-Url: https://code.grnet.gr/git/snf-network/blobdiff_plain/673de0e4a6254f94e08888acae1b899668f99e52..refs/tags/debian/0.15.6-1wheezy:/kvm-vif-bridge diff --git a/kvm-vif-bridge b/kvm-vif-bridge index 65cfb47..e83c104 100755 --- a/kvm-vif-bridge +++ b/kvm-vif-bridge @@ -3,173 +3,17 @@ # This is an example of a Ganeti kvm ifup script that configures network # interfaces based on the initial deployment of the Okeanos project -TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-) -MAC2EUI64=/usr/bin/mac2eui64 -NFDHCPD_STATE_DIR=/var/lib/nfdhcpd +source /etc/default/snf-network +source /usr/lib/snf-network/common.sh -function clear_routed_setup_ipv4 { +FROM=FROM${INTERFACE^^} +TO=TO${INTERFACE^^} - arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle - while ip rule del dev $INTERFACE; do :; done - iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP - -} - -function clear_routed_setup_ipv6 { - - while ip -6 rule del dev $INTERFACE; do :; done - -} - - -function clear_routed_setup_firewall { - - for oldchain in protected unprotected limited; do - iptables -D FORWARD -o $INTERFACE -j $oldchain - ip6tables -D FORWARD -o $INTERFACE -j $oldchain - done - -} - -function clear_ebtables { - - ebtables -D FORWARD -i $TAP -j $FROM - ebtables -D FORWARD -o $TAP -j $TO - #ebtables -D OUTPUT -o $TAP -j $TO - - ebtables -X $FROM - ebtables -X $TO -} - - - -function routed_setup_ipv4 { - - # mangle ARPs to come from the gw's IP - arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY" - - # route interface to the proper routing table - ip rule add dev $INTERFACE table $TABLE - - # static route mapping IP -> INTERFACE - ip route replace $IP proto static dev $INTERFACE table $TABLE - - # Enable proxy ARP - echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp -} - -function routed_setup_ipv6 { - # Add a routing entry for the eui-64 - prefix=$NETWORK_SUBNET6 - uplink=$PUBLIC_VLAN - eui64=$($MAC2EUI64 $MAC $prefix) - - - ip -6 rule add dev $INTERFACE table $TABLE - ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE - ip -6 neigh add proxy $eui64 dev $uplink - - # disable proxy NDP since we're handling this on userspace - # this should be the default, but better safe than sorry - echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp -} - -# pick a firewall profile per NIC, based on tags (and apply it) -function routed_setup_firewall { - ifprefix="synnefo:network:$INTERFACE_INDEX:" - for tag in $TAGS; do - case ${tag#$ifprefix} in - protected) - chain=protected - ;; - unprotected) - chain=unprotected - ;; - limited) - chain=limited - ;; - esac - done - - if [ "x$chain" != "x" ]; then - iptables -A FORWARD -o $INTERFACE -j $chain - ip6tables -A FORWARD -o $INTERFACE -j $chain - fi -} - -function init_ebtables { - - ebtables -N $FROM - ebtables -A FORWARD -i $TAP -j $FROM - ebtables -N $TO - ebtables -A FORWARD -o $TAP -j $TO - -} - - -function setup_ebtables { - - # do not allow changes in ip-mac pair - if [ -n "$IP"]; then - ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP - fi - ebtables -A $FROM -s \! $MAC -j DROP - #accept dhcp responses from host (nfdhcpd) - ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT - # allow only packets from the same mac prefix - ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP -} - -function setup_masq { - - # allow packets from/to router (for masquerading) - # ebtables -A $TO -s $PUBLIC_MAC -j ACCEPT - # ebtables -A INPUT -i $TAP -j $FROM - # ebtables -A OUTPUT -o $TAP -j $TO - return - -} - -function setup_nfdhcpd { - umask 022 - FILE=$NFDHCPD_STATE_DIR/$INTERFACE - #IFACE is the interface from which the packet seems to arrive - #needed in bridged mode where the packets seems to arrive from the - #bridge and not from the tap - cat >$FILE </dev/null) -EOF - -} - - -DEFAULT=/etc/default/snf-network -source $DEFAULT -source $CONF - -INFRA=$STATE_DIR/infra - -source $INFRA - -log-env - -TAP=$INTERFACE -FROM=FROM${TAP^^} -TO=TO${TAP^^} - -clear_routed_setup_ipv4 > /dev/null 2>&1 -clear_routed_setup_ipv6 > /dev/null 2>&1 -clear_routed_setup_firewall > /dev/null 2>&1 -clear_ebtables > /dev/null 2>&1 +try clear_routed_setup_ipv4 +try clear_routed_setup_ipv6 +try clear_routed_setup_firewall +try clear_ebtables +try clear_nfdhcpd if [ "$MODE" = "routed" ]; then TABLE=$LINK @@ -180,29 +24,34 @@ elif [ "$MODE" = "bridged" ]; then ip link set $INTERFACE up brctl addif $BRIDGE $INTERFACE INDEV=$BRIDGE - init_ebtables > /dev/null 2>&1 - DROPDHCPREQCMD="ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP" + try init_ebtables + DROPDHCPREQCMD="runlocked $RUNLOCKED_OPTS ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP" fi for tag in $NETWORK_TAGS; do case $tag in - ip-less-routed) - routed_setup_ipv4 > /dev/null 2>&1 - routed_setup_ipv6 > /dev/null 2>&1 - routed_setup_firewall > /dev/null 2>&1 + $IP_LESS_ROUTED_TAG) + try routed_setup_ipv4 + try routed_setup_ipv6 + try routed_setup_firewall ;; - nfdhcpd) + $NFDHCPD_TAG) # Drop unicast BOOTP/DHCP packets - $DROPDHCPREQCMD > /dev/null 2>&1 - setup_nfdhcpd > /dev/null 2>&1 + $DROPDHCPREQCMD + try setup_nfdhcpd ;; - mac-filtered) - setup_ebtables > /dev/null 2>&1 + $MAC_FILTERED_TAG) + try setup_ebtables ;; - masq) - setup_masq > /dev/null 2>&1 + $MASQ_TAG) + try setup_masq ;; esac done +if [ -x "$IFUP_EXTRA_SCRIPT" ]; then + exec $IFUP_EXTRA_SCRIPT "$@" +fi + +exit 0