Asume standard interfaces per nodegroup.
First define a network.
Then define a nodegroup.
Then define connection.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
+++ /dev/null
-#!/bin/bash
-
-DIR=/var/lib/snf-network
-SUBNET=$1
-GATEWAY=$2
-TYPE=$3
-NAME=$4
-RT_TABLES=/etc/iproute2/rt_tables
-
-
-
-if [ $# -ne 4 ]; then
- echo "$0 <subnet> <gateway> <private/public> <name>"
- exit 1
-fi
-
-
-
-cat > $DIR/networks/$NAME <<EOF
-SUBNET=$SUBNET
-GATEWAY=$GATEWAY
-TYPE=$TYPE
-EOF
-
-
-IDX=$(ls $DIR/networks | wc -l)
-
-# remove old entry
-sed -i '/^'"$IDX"'\ / d' $RT_TABLES
-
-echo "$IDX rt_$NAME" >> $RT_TABLES
-
-
+++ /dev/null
-#!/bin/bash
-
-DIR=/var/lib/snf-network
-NODES=$1
-ROUTER=$2
-IFACE=$3
-VLAN=$4
-VLANS=$5
-NAME=$6
-
-
-if [ $# -ne 6 ]; then
- echo "$0 <list_nodes> <router> <iface> <public_vlan> <list_of_private_vlans> <name>"
- echo "$0 'dev88 89' 'dev88' 'eth0' '101' '2990 2999' 'default'"
- exit 1
-fi
-
-
-
-cat > $DIR/nodegroups/$NAME <<EOF
-ROUTER=$ROUTER
-INTERFACE=$IFACE
-PUBLIC_VLAN=$VLAN
-PRIVATE_VLANS=$VLANS
-EOF
-
-
--- /dev/null
+#!/bin/bash
+
+source /etc/default/snf-network
+
+HOSTNAME=$(hostname)
+
+
+INTERFACES=$SHAREDDIR/interfaces/$HOSTNAME
+INFRA=$SHAREDDIR/infra/$HOSTNAME
+
+if [ -e $INFRA ]; then
+ source $INFRA
+fi
+
+if [ -e /proc/sys/net/ipv4/conf/$PUBLIC_VLAN -o \
+# -e /proc/sys/net/ipv4/conf/$PUBLIC_BRIDGE -o \
+ -e /proc/sys/net/ipv4/conf/$MASQ_VLAN -o \
+ -e /proc/sys/net/ipv4/conf/$MASQ_BRIDGE -o \
+ -e /proc/sys/net/ipv4/conf/$PRIVATE_VLAN -o \
+ -e /proc/sys/net/ipv4/conf/$PRIVATE_BRIDGE ]; then
+ echo Interfaces already exist! Please check:
+ echo $PUBLIC_BRIDGE for bridging TAPs with public IPs
+ echo $PUBLIC_VLAN for routing TAPs with public IPs
+ echo $PRIVATE_VLAN bridged on $PRIVATE_BRIDGE for private LANs
+ echo $MASQ_VLAN bridged on $MASQ_BRIDGE for private IPs that get MASQUERADED
+ exit 1
+fi
+
+
+cat > $INTERFACES<<EOF
+#auto $PUBLIC_BRIDGE
+#iface $PUBLIC_BRIDGE inet manual
+# bridge_ports $PUBLIC_INTERFACE
+# bridge_stp off
+# bridge_fd 2
+
+auto $PUBLIC_VLAN
+iface $PUBLIC_VLAN inet manual
+
+auto $PRIVATE_VLAN
+iface $PRIVATE_VLAN inet manual
+
+auto $PRIVATE_BRIDGE
+iface $PRIVATE_BRIDGE inet manual
+ bridge_ports $PRIVATE_VLAN
+ bridge_stp off
+ bridge_fd 2
+
+auto $MASQ_VLAN
+iface $MASQ_VLAN inet manual
+
+auto $MASQ_BRIDGE
+iface $MASQ_BRIDGE inet manual
+ bridge_ports $MASQ_VLAN
+ bridge_stp off
+ bridge_fd 2
+EOF
+
+
+ifup -i $INTERFACES -a
+
+
+echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
+echo 1 > /proc/sys/net/ipv4/ip_forward
+++ /dev/null
-#!/bin/bash
-
-DIR=/var/lib/snf-network
-NETWORK=$1
-NODEGROUP=$2
-MODE=$3
-LINK=$4
-
-source /etc/default/snf-network
-
-if [ $# -ne 4 ]; then
- echo "$0 <network> <nodegroup> <mode> <link>"
- exit 1
-fi
-
-NETWORK_FILE=$DIR/networks/$NETWORK
-NODEGROUP_FILE=$DIR/nodegoups/$NODEGROUP
-INTERFACES=$DIR/interfaces/$NETWORK-$NODEGROUP
-
-source $NETWORK_FILE
-source $NODEGROUP_FILE
-
-if [ $MODE == "routed" ]; then
- VLAN=$LINK
- if [ $TYPE == "public" ]; then
- APR_IP=$(ipcalc $SUBNET | grep HostMax | awk '{print $2}')
- cat > $INTERFACES<<EOF
-# $VLAN $MODE
-auto $VLAN
-iface $VLAN inet manual
-# ip-routing-table rt_$NETWORK
-# ip-routes $SUBNET
-# ip-gateway $GATEWAY
-# ip-forwarding 1
-# ip-proxy-arp 1
-# arp-ip $ARP_IP
-EOF
- ifup -i $INTERFACES $VLAN
- ip link set $VLAN up
-
- ip rule add iif $VLAN table rt_$NAME
-
- ip route add $SUBNET dev $VLAN table main
-
- ip route add $SUBNET dev $VLAN table rt_$NAME
- ip route add default via $GATEWAY dev $VLAN table rt_$NAME
-
- echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
-
- arptables -A OUTPUT -o $VLAN --opcode request -j mangle --mangle-ip-s $ARP_IP
- fi
-fi
-
-
-
-if [ $MODE == "bridged" ]; then
- BRIDGE=$LINK
- echo 1 > /proc/sys/net/ipv4/ip_forward
- if [ $TYPE == "public" ]; then
- VLAN=$INTERFACE.$PUBLIC_VLAN_ID
- elif [ $TYPE == "private" ]; then
- VLAN_ID=${PRIVATE_VLAN_IDS%% *}
- VLAN_IDS=${PRIVATE_VLAN_IDS#* }
- sed -i 's/PRIVATE_VLAN_IDS/ s/=.*/='"VLAN_IDS"'/' $NODEGROUP_FILE
- #set -- $PRIVATE_VLAN_IDS
- #VLAN=$1
- #shift
- #VLANS=$@
- VLAN=$INTERFACE.$VLAN_ID
- fi
- cat > $INTERFACES <<EOF
-# $VLAN $MODE $BRIDGE
-auto $VLAN
-iface $VLAN inet manual
-
-auto $BRIDGE
-iface $BRIDGE inet manual
- bridge_ports $VLAN
- bridge_stp off
- bridge_fd 2
-EOF
- ifup -i $INTERFACES $BRIDGE
- ip link set $VLAN up
- ip route add $SUBNET dev $BRIDGE table main
-
- ip route add $SUBNET dev $BRIDGE table rt_$NETWORK
- if [ ! -z $GATEWAY ]; then
- ip route add default via dev $BRIDGE table rt_$NETWORK
- if [ $TYPE == "private" ]; then
- if [ ! -z $ROUTER ]; then
- if [ $(hostname) == $ROUTER ]; then
- NETMASK=$(ipcalc $SUBNET | grep Netmask | awk '{print $4}')
- ip addr add $GATEWAY/$NETMASK dev $BRIDGE
- iptables -t nat -A POSTROUTING -s $SUBNET \! -d $SUBNET -j MASQUERADE
- fi
- fi
- fi
- fi
-fi
+++ /dev/null
-#!/bin/bash
-
-DIR=/var/lib/snf-network
-NETWORK=$1
-NODEGROUP=$2
-
-source /etc/default/snf-network
-
-if [ $# -ne 2 ]; then
- echo "$0 <network> <nodegroup>"
- exit 1
-fi
-
-NETWORK_FILE=$DIR/networks/$NETWORK
-NODEGROUP_FILE=$DIR/nodegoups/$NODEGROUP
-INTERFACES=$DIR/interfaces/$NETWORK-$NODEGROUP
-
-read x VLAN BRIDGE < $INTERFACES
-
-VLAN_ID=${VLAN#*:}
-
-source $NETWORK_FILE
-source $NODEGROUP_FILE
-
-if [ $MODE == "routed" ]; then
- if [ $TYPE == "public" ]; then
- APR_IP=$(ipcalc $SUBNET | grep HostMax | awk '{print $2}')
- ip rule del iif $VLAN table rt_$NAME
-
- ip route del $SUBNET dev $VLAN table main
-
- ip route del $SUBNET dev $VLAN table rt_$NAME
- ip route del default via $GATEWAY dev $VLAN table rt_$NAME
-
- arptables -D OUTPUT -o $VLAN --opcode request -j mangle --mangle-ip-s $ARP_IP
- ifdown -i $INTERFACES $VLAN
- rm $INTERFACES
- fi
-fi
-
-
-
-if [ $MODE == "bridged" ]; then
- if [ $TYPE == "private" ]; then
- VLAN_IDS="$VLAN_ID $PRIVATE_VLAN_IDS"
- sed -i 's/PRIVATE_VLAN_IDS/ s/=.*/='"VLAN_IDS"'/' $NODEGROUP_FILE
- fi
-
- ip route del $SUBNET dev $BRIDGE table main
-
- ip route del $SUBNET dev $BRIDGE table rt_$NETWORK
- if [ ! -z $GATEWAY ]; then
- ip route del default via $GATEWAY dev $BRIDGE table rt_$NETWORK
- if [ $TYPE == "private" ]; then
- if [ ! -z $ROUTER ]; then
- if [ $(hostname) == $ROUTER ]; then
- NETMASK=$(ipcalc $SUBNET | grep Netmask | awk '{print $4}')
- ip addr del $GATEWAY/$NETMASK dev $LINK
- iptables -t nat -D POSTROUTING -s $SUBNET \! -d $SUBNET -j MASQUERADE
- fi
- fi
- fi
- fi
- ifdown -i $INTERFACES $BRIDGE
- rm $INTERFACES
-fi
--- /dev/null
+#!/bin/bash
+
+source /etc/default/snf-network
+
+GROUP=$GANETI_GROUP_NAME
+
+ACTION=$GANETI_GROUP_NETWORK_ACTION
+NETWORK=$GANETI_GROUP_NETWORK_NAME
+MODE=$GANETI_GROUP_NETWORK_MODE
+LINK=$GANETI_GROUP_NETWORK_LINK
+
+
+
+if [ -z $ACTION ]; then
+ exit 0
+fi
+
+NETFILE=$SHAREDDIR/networks/$NETWORK
+
+MAPFILE=$SHAREDDIR/mappings/$NETWORK-$GROUP
+
+function set_rt_table {
+ ID=$(sed -n '/^$/ { =; q}' /etc/iproute2/rt_tables)
+ if [ -z $ID ]; then
+ ID=$(wc -l /etc/iproute2/rt_tables)
+ echo $((ID+1)) rt_$NETWORK > /etc/iproute2/rt_tables
+ else
+ sed -i '1,/^$/ s/^$/'"$ID"' rt_'"$NETWORK"'/' /etc/iproute2/rt_tables
+ fi
+}
+
+
+
+if [ $ACTION == "add" ]; then
+ if [ $MODE == "routed" ]; then
+ VLAN=$LINK
+ if [ $TYPE == "public" ]; then
+ ARP_IP=$(ipcalc $SUBNET | grep HostMax | awk '{print $2}')
+
+ ip link set $VLAN up
+
+ echo 1 > "/proc/sys/net/ipv4/conf/$VLAN/proxy_arp"
+
+ set_rt_table
+
+ ip rule add iif $VLAN table rt_$NETWORK
+
+ ip route add $SUBNET dev $VLAN table main
+
+ ip route add $SUBNET dev $VLAN table rt_$NETWORK
+ ip route add default via $GATEWAY dev $VLAN table rt_$NETWORK
+
+ echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
+
+ arptables -A OUTPUT -o $VLAN --opcode request -j mangle --mangle-ip-s $ARP_IP
+ fi
+ fi
+
+
+
+ if [ $MODE == "bridged" ]; then
+ BRIDGE=$LINK
+ if [ ! -z $GATEWAY ]; then
+ if [ $TYPE == "private" ]; then
+ if [ $(hostname) == $ROUTER ]; then
+ NETMASK=$(ipcalc $SUBNET | grep Netmask | awk '{print $4}')
+ ip addr add $GATEWAY/$NETMASK dev $BRIDGE
+ iptables -t nat -A POSTROUTING -s $SUBNET \! -d 192.168.0.0/16 -j MASQUERADE
+ fi
+ fi
+ fi
+ fi
+
+ cat > $MAPFILE <<EOF
+MODE=$MODE
+LINK=$LINK
+EOF
+
+else
+
+ source $MAPFILE
+
+ if [ "$MODE" == "routed" ]; then
+ VLAN=$LINK
+ TABLE=rt_$NETWORK
+ if [ $TYPE == "public" ]; then
+ ARP_IP=$(ipcalc $SUBNET | grep HostMax | awk '{print $2}')
+
+ arptables -D OUTPUT -o $VLAN --opcode request -j mangle --mangle-ip-s $ARP_IP
+
+ ip route del default via $GATEWAY dev $VLAN table $TABLE
+ ip route del $SUBNET dev $VLAN table $TABLE
+
+ ip route del $SUBNET dev $VLAN table main
+
+ ip rule del iif $VLAN table $TABLE
+ sed -i 's/.*'"$TABLE"'$//' /etc/iproute2/rt_tables
+ fi
+ fi
+
+
+
+ if [ "$MODE" == "bridged" ]; then
+ BRIDGE=$LINK
+ if [ ! -z $GATEWAY ]; then
+ if [ $TYPE == "private" ]; then
+ if [ $(hostname) == $ROUTER ]; then
+ NETMASK=$(ipcalc $SUBNET | grep Netmask | awk '{print $4}')
+ ip addr del $GATEWAY/$NETMASK dev $BRIDGE
+ iptables -t nat -D POSTROUTING -s $SUBNET \! -d 192.168.0.0/16 -j MASQUERADE
+ fi
+ fi
+ fi
+ fi
+
+ rm $MAPFILE
+
+fi
--- /dev/null
+#!/bin/bash
+
+source /etc/default/snf-network
+
+
+NETFILE=$SHAREDDIR/networks/$NETWORK
+
+
+cat > $NETFILE <<EOF
+NETWORK=$GANETI_NETWORK_NAME
+SUBNET=$GANETI_NETWORK_SUBNET
+GATEWAY=$GANETI_NETWORK_GATEWAY
+
+SUBNET6=$GANETI_NETWORK_SUBNET6
+GATEWAY6=$GANETI_NETWORK_GATEWAY6
+
+MAC_PREFIX=$GANETI_NETWORK_MAC_PREFIX
+
+TYPE=$GANETI_NETWORK_TYPE
+EOF
+
+
MAC2EUI64=/usr/bin/mac2eui64
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd
+function clear_tap {
+
+ arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
+ while ip rule del dev $INTERFACE; do :; done
+ iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
+
+
+}
+
function routed_setup_ipv4 {
# get the link's default gateway
gw=$(ip route list table $TABLE | sed -n 's/default via \([^ ]\+\).*/\1/p' | head -1)
# mangle ARPs to come from the gw's IP
- arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$gw"
# route interface to the proper routing table
- while ip rule del dev $INTERFACE; do :; done
ip rule add dev $INTERFACE table $TABLE
# static route mapping IP -> INTERFACE
fi
}
-function routed_setup_nfdhcpd {
+function setup_nfdhcpd {
umask 022
cat >$NFDHCPD_STATE_DIR/$INTERFACE <<EOF
IFACE=$1
EOF
}
-function reset_ebtables {
+function clear_ebtables {
TAP=$INTERFACE
FROM=FROM${TAP^^}
TO=TO${TAP^^}
- ebtables -D INPUT -i $TAP -j $FROM
- ebtables -D FORWARD -i $TAP -j $FROM
- ebtables -D FORWARD -o $TAP -j $TO
- ebtables -D OUTPUT -o $TAP -j $TO
+ exist=$(ebtables -L | grep $TAP)
- ebtables -X $FROM
- ebtables -X $TO
+ if [ ! -z "$exist" ]; then
+ ebtables -D INPUT -i $TAP -j $FROM
+ ebtables -D FORWARD -i $TAP -j $FROM
+ ebtables -D FORWARD -o $TAP -j $TO
+ ebtables -D OUTPUT -o $TAP -j $TO
+
+ ebtables -X $FROM
+ ebtables -X $TO
+ fi
}
-function set_ebtables {
+function setup_ebtables {
TAP=$INTERFACE
FROM=FROM${TAP^^}
TO=TO${TAP^^}
ebtables -N $FROM
+ # do not allow changes in ip-mac pair
ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
ebtables -A $FROM -s \! $MAC -j DROP
- ebtables -A INPUT -i $TAP -j $FROM
ebtables -A FORWARD -i $TAP -j $FROM
ebtables -N $TO
ebtables -A FORWARD -o $TAP -j $TO
- ebtables -A OUTPUT -o $TAP -j $TO
#accept dhcp responses from host (nfdhcpd)
ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
if [ $TYPE == "private" ]; then
- ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
if [ ! -z $GATEWAY ]; then
+ # allow packets from/to router (for masquerading
ebtables -A $TO -s $ROUTER_MAC -j ACCEPT
+ ebtables -A INPUT -i $TAP -j $FROM
+ ebtables -A OUTPUT -o $TAP -j $TO
fi
+ # allow only packets from the same mac prefix
+ ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
fi
}
#FIXME: import router mac from the config files
# must know node group!! how???
-ROUTER_MAC=6e:10:e1:a0:c3:0f
+ROUTER_MAC=e4:11:5b:b2:8d:ca
MAC_MASK=ff:ff:ff:0:0:0
TABLE=rt_$NETWORK
if [ "$MODE" = "routed" ]; then
# special proxy-ARP/NDP routing mode
-
+ clear_tap
# use a constant predefined MAC address for the tap
ip link set $INTERFACE addr $TAP_CONSTANT_MAC
# bring the tap up
ifconfig $INTERFACE 0.0.0.0 up
# Drop unicast BOOTP/DHCP packets
- iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
routed_setup_ipv4
- routed_setup_ipv6
- routed_setup_firewall
- routed_setup_nfdhcpd $INTERFACE
- reset_ebtables
+# routed_setup_ipv6
+# routed_setup_firewall
+ setup_nfdhcpd $INTERFACE
+ clear_ebtables >/dev/null 2>&1
elif [ "$MODE" = "bridged" ]; then
- while ip rule del dev $INTERFACE; do :; done
+ clear_tap
+ clear_ebtables >/dev/null 2>&1
ifconfig $INTERFACE 0.0.0.0 up
brctl addif $BRIDGE $INTERFACE
- routed_setup_nfdhcpd $BRIDGE
- reset_ebtables
- set_ebtables
+ setup_nfdhcpd $BRIDGE
+ setup_ebtables
fi
+++ /dev/null
-#
-# reserved values
-#
-255 local
-254 main
-253 default
-0 unspec
-#
-# local
-#
-#1 inr.ruhep
-# dev.grnet.gr, routing table used
-# for the public IP space allocated to Synnefo VMs
-# This *must* match the name of the link
-# in gnt-network for nfdhcpd to work properly.
-44 rt_net100
-45 rt_net101
-46 rt_public
--- /dev/null
+#!/bin/bash
+
+source /etc/default/snf-network
+
+HOSTNAME=$(hostname)
+
+
+INTERFACES=$SHAREDDIR/interfaces/$HOSTNAME
+INFRA=$SHAREDDIR/infra/$HOSTNAME
+
+if [ -e $INFRA ]; then
+ source $INFRA
+fi
+
+ifdown -i $INTERFACES -a --force
+
projects / snf-network / commitdiff