--- /dev/null
+#!/bin/bash
+
+function try {
+
+ $1 &>/dev/null || true
+
+}
+
+
+function clear_routed_setup_ipv4 {
+
+ arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
+ while ip rule del dev $INTERFACE; do :; done
+ iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
+
+}
+
+function clear_routed_setup_ipv6 {
+
+ while ip -6 rule del dev $INTERFACE; do :; done
+
+}
+
+
+function clear_routed_setup_firewall {
+
+ for oldchain in protected unprotected limited; do
+ iptables -D FORWARD -o $INTERFACE -j $oldchain
+ ip6tables -D FORWARD -o $INTERFACE -j $oldchain
+ done
+
+}
+
+function clear_ebtables {
+
+ ebtables -D FORWARD -i $INTERFACE -j $FROM
+ ebtables -D FORWARD -o $INTERFACE -j $TO
+ #ebtables -D OUTPUT -o $INTERFACE -j $TO
+
+ ebtables -X $FROM
+ ebtables -X $TO
+}
+
+
+function clear_nfdhcpd {
+
+ rm $NFDHCPD_STATE_DIR/$INTERFACE
+
+}
+
+
+function routed_setup_ipv4 {
+
+ # mangle ARPs to come from the gw's IP
+ arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
+
+ # route interface to the proper routing table
+ ip rule add dev $INTERFACE table $TABLE
+
+ # static route mapping IP -> INTERFACE
+ ip route replace $IP proto static dev $INTERFACE table $TABLE
+
+ # Enable proxy ARP
+ echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
+}
+
+function routed_setup_ipv6 {
+ # Add a routing entry for the eui-64
+ prefix=$NETWORK_SUBNET6
+ uplink=$(ip -6 route list table $TABLE | grep "default via" | awk '{print $5}')
+ eui64=$($MAC2EUI64 $MAC $prefix)
+
+
+ ip -6 rule add dev $INTERFACE table $TABLE
+ ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
+ ip -6 neigh add proxy $eui64 dev $uplink
+
+ # disable proxy NDP since we're handling this on userspace
+ # this should be the default, but better safe than sorry
+ echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
+}
+
+# pick a firewall profile per NIC, based on tags (and apply it)
+function routed_setup_firewall {
+ ifprefix="synnefo:network:$INTERFACE_INDEX:"
+ for tag in $TAGS; do
+ case ${tag#$ifprefix} in
+ protected)
+ chain=protected
+ ;;
+ unprotected)
+ chain=unprotected
+ ;;
+ limited)
+ chain=limited
+ ;;
+ esac
+ done
+
+ if [ "x$chain" != "x" ]; then
+ iptables -A FORWARD -o $INTERFACE -j $chain
+ ip6tables -A FORWARD -o $INTERFACE -j $chain
+ fi
+}
+
+function init_ebtables {
+
+ ebtables -N $FROM
+ ebtables -A FORWARD -i $INTERFACE -j $FROM
+ ebtables -N $TO
+ ebtables -A FORWARD -o $INTERFACE -j $TO
+
+}
+
+
+function setup_ebtables {
+
+ # do not allow changes in ip-mac pair
+ if [ -n "$IP"]; then
+ ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
+ fi
+ ebtables -A $FROM -s \! $MAC -j DROP
+ #accept dhcp responses from host (nfdhcpd)
+ ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
+ # allow only packets from the same mac prefix
+ ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
+}
+
+function setup_masq {
+
+ # allow packets from/to router (for masquerading)
+ # ebtables -A $TO -s $NODE_MAC -j ACCEPT
+ # ebtables -A INPUT -i $INTERFACE -j $FROM
+ # ebtables -A OUTPUT -o $INTERFACE -j $TO
+ return
+
+}
+
+function setup_nfdhcpd {
+ umask 022
+ FILE=$NFDHCPD_STATE_DIR/$INTERFACE
+ #IFACE is the interface from which the packet seems to arrive
+ #needed in bridged mode where the packets seems to arrive from the
+ #bridge and not from the tap
+ cat >$FILE <<EOF
+INDEV=$INDEV
+IP=$IP
+MAC=$MAC
+HOSTNAME=$INSTANCE
+TAGS="$TAGS"
+GATEWAY=$NETWORK_GATEWAY
+SUBNET=$NETWORK_SUBNET
+GATEWAY6=$NETWORK_GATEWAY6
+SUBNET6=$NETWORK_SUBNET6
+EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
+EOF
+
+}
+
# This is an example of a Ganeti kvm ifup script that configures network
# interfaces based on the initial deployment of the Okeanos project
-TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-)
-MAC2EUI64=/usr/bin/mac2eui64
-NFDHCPD_STATE_DIR=/var/lib/nfdhcpd
-
-function clear_routed_setup_ipv4 {
-
- arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
- while ip rule del dev $INTERFACE; do :; done
- iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
-
-}
-
-function clear_routed_setup_ipv6 {
-
- while ip -6 rule del dev $INTERFACE; do :; done
-
-}
-
-
-function clear_routed_setup_firewall {
-
- for oldchain in protected unprotected limited; do
- iptables -D FORWARD -o $INTERFACE -j $oldchain
- ip6tables -D FORWARD -o $INTERFACE -j $oldchain
- done
-
-}
-
-function clear_ebtables {
-
- ebtables -D FORWARD -i $TAP -j $FROM
- ebtables -D FORWARD -o $TAP -j $TO
- #ebtables -D OUTPUT -o $TAP -j $TO
-
- ebtables -X $FROM
- ebtables -X $TO
-}
-
-
-function clear_nfdhcpd {
-
- rm $NFDHCPD_STATE_DIR/$INTERFACE
-
-}
-
-
-function routed_setup_ipv4 {
-
- # mangle ARPs to come from the gw's IP
- arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
-
- # route interface to the proper routing table
- ip rule add dev $INTERFACE table $TABLE
-
- # static route mapping IP -> INTERFACE
- ip route replace $IP proto static dev $INTERFACE table $TABLE
-
- # Enable proxy ARP
- echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
-}
-
-function routed_setup_ipv6 {
- # Add a routing entry for the eui-64
- prefix=$NETWORK_SUBNET6
- uplink=$(ip -6 route list table $TABLE | grep "default via" | awk '{print $5}')
- eui64=$($MAC2EUI64 $MAC $prefix)
-
-
- ip -6 rule add dev $INTERFACE table $TABLE
- ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE
- ip -6 neigh add proxy $eui64 dev $uplink
-
- # disable proxy NDP since we're handling this on userspace
- # this should be the default, but better safe than sorry
- echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
-}
-
-# pick a firewall profile per NIC, based on tags (and apply it)
-function routed_setup_firewall {
- ifprefix="synnefo:network:$INTERFACE_INDEX:"
- for tag in $TAGS; do
- case ${tag#$ifprefix} in
- protected)
- chain=protected
- ;;
- unprotected)
- chain=unprotected
- ;;
- limited)
- chain=limited
- ;;
- esac
- done
-
- if [ "x$chain" != "x" ]; then
- iptables -A FORWARD -o $INTERFACE -j $chain
- ip6tables -A FORWARD -o $INTERFACE -j $chain
- fi
-}
-
-function init_ebtables {
-
- ebtables -N $FROM
- ebtables -A FORWARD -i $TAP -j $FROM
- ebtables -N $TO
- ebtables -A FORWARD -o $TAP -j $TO
-
-}
-
-
-function setup_ebtables {
-
- # do not allow changes in ip-mac pair
- if [ -n "$IP"]; then
- ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
- fi
- ebtables -A $FROM -s \! $MAC -j DROP
- #accept dhcp responses from host (nfdhcpd)
- ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
- # allow only packets from the same mac prefix
- ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
-}
-
-function setup_masq {
-
- # allow packets from/to router (for masquerading)
- # ebtables -A $TO -s $NODE_MAC -j ACCEPT
- # ebtables -A INPUT -i $TAP -j $FROM
- # ebtables -A OUTPUT -o $TAP -j $TO
- return
-
-}
-
-function setup_nfdhcpd {
- umask 022
- FILE=$NFDHCPD_STATE_DIR/$INTERFACE
- #IFACE is the interface from which the packet seems to arrive
- #needed in bridged mode where the packets seems to arrive from the
- #bridge and not from the tap
- cat >$FILE <<EOF
-INDEV=$INDEV
-IP=$IP
-MAC=$MAC
-HOSTNAME=$INSTANCE
-TAGS="$TAGS"
-GATEWAY=$NETWORK_GATEWAY
-SUBNET=$NETWORK_SUBNET
-GATEWAY6=$NETWORK_GATEWAY6
-SUBNET6=$NETWORK_SUBNET6
-EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
-EOF
-
-}
-
-
source /etc/default/snf-network
+source /usr/lib/snf-network/common.sh
-TAP=$INTERFACE
-FROM=FROM${TAP^^}
-TO=TO${TAP^^}
+FROM=FROM${INTERFACE^^}
+TO=TO${INTERFACE^^}
-clear_routed_setup_ipv4 > /dev/null 2>&1
-clear_routed_setup_ipv6 > /dev/null 2>&1
-clear_routed_setup_firewall > /dev/null 2>&1
-clear_ebtables > /dev/null 2>&1
-clear_nfdhcpd > /dev/null 2>&1
+try clear_routed_setup_ipv4
+try clear_routed_setup_ipv6
+try clear_routed_setup_firewall
+try clear_ebtables
+try clear_nfdhcpd
if [ "$MODE" = "routed" ]; then
TABLE=$LINK
ip link set $INTERFACE up
brctl addif $BRIDGE $INTERFACE
INDEV=$BRIDGE
- init_ebtables > /dev/null 2>&1
+ try init_ebtables
DROPDHCPREQCMD="ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"
fi
for tag in $NETWORK_TAGS; do
case $tag in
$IP_LESS_ROUTED_TAG)
- routed_setup_ipv4 > /dev/null 2>&1
- routed_setup_ipv6 > /dev/null 2>&1
- routed_setup_firewall > /dev/null 2>&1
+ try routed_setup_ipv4
+ try routed_setup_ipv6
+ try routed_setup_firewall
;;
$NFDHCPD_TAG)
# Drop unicast BOOTP/DHCP packets
- $DROPDHCPREQCMD > /dev/null 2>&1
- setup_nfdhcpd > /dev/null 2>&1
+ $DROPDHCPREQCMD
+ try setup_nfdhcpd
;;
$MAC_FILTERED_TAG)
- setup_ebtables > /dev/null 2>&1
+ try setup_ebtables
;;
$MASQ_TAG)
- setup_masq > /dev/null 2>&1
+ try setup_masq
;;
esac
done
--- /dev/null
+#!/bin/bash
+
+
+dir=$(dirname "$0")
+. "$dir"/vif-common.sh
+
+source /etc/default/snf-network
+source /usr/lib/snf-network/common.sh
+
+domname=$(xm domname $domid)
+
+source $GANETI_NIC_DIR/$domname/$devid
+
+INTERFACE=$dev
+INSTANCE=$domname
+
+FROM=FROM${INTERFACE^^}
+TO=TO${INTERFACE^^}
+
+
+try clear_routed_setup_ipv4
+try clear_routed_setup_ipv6
+try clear_routed_setup_firewall
+try clear_ebtables
+try clear_nfdhcpd
+
+if [ "$MODE" = "routed" ]; then
+ TABLE=$LINK
+ ip link set $INTERFACE up
+ success
+ INDEV=$INTERFACE
+ DROPDHCPREQCMD="iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP"
+elif [ "$MODE" = "bridged" ]; then
+ ip link set $INTERFACE up
+ BRIDGE=$(xenstore_read_default "$XENBUS_PATH/bridge" "$LINK")
+ brctl addif $BRIDGE $INTERFACE
+ success
+ INDEV=$BRIDGE
+ try init_ebtables
+ DROPDHCPREQCMD="ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"
+fi
+
+
+for tag in $NETWORK_TAGS; do
+ case $tag in
+ $IP_LESS_ROUTED_TAG)
+ try routed_setup_ipv4
+ try routed_setup_ipv6
+ try routed_setup_firewall
+ ;;
+ $NFDHCPD_TAG)
+ # Drop unicast BOOTP/DHCP packets
+ $DROPDHCPREQCMD
+ try setup_nfdhcpd
+ ;;
+ $MAC_FILTERED_TAG)
+ try setup_ebtables
+ ;;
+ $MASQ_TAG)
+ try setup_masq
+ ;;
+ esac
+done
projects / snf-network / commitdiff