From: Dimitris Aragiorgis Date: Sat, 11 May 2013 21:01:41 +0000 (+0300) Subject: Add vif-custom script and split kvm-vif-bridge X-Git-Tag: 0.14.1~3 X-Git-Url: https://code.grnet.gr/git/snf-network/commitdiff_plain/38305e4c03e90362dacef352b040c70a8eca163d Add vif-custom script and split kvm-vif-bridge Put functions in /usr/lib/snf-network/common.sh Signed-off-by: Dimitris Aragiorgis --- diff --git a/common.sh b/common.sh new file mode 100755 index 0000000..ec95f53 --- /dev/null +++ b/common.sh @@ -0,0 +1,159 @@ +#!/bin/bash + +function try { + + $1 &>/dev/null || true + +} + + +function clear_routed_setup_ipv4 { + + arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle + while ip rule del dev $INTERFACE; do :; done + iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP + +} + +function clear_routed_setup_ipv6 { + + while ip -6 rule del dev $INTERFACE; do :; done + +} + + +function clear_routed_setup_firewall { + + for oldchain in protected unprotected limited; do + iptables -D FORWARD -o $INTERFACE -j $oldchain + ip6tables -D FORWARD -o $INTERFACE -j $oldchain + done + +} + +function clear_ebtables { + + ebtables -D FORWARD -i $INTERFACE -j $FROM + ebtables -D FORWARD -o $INTERFACE -j $TO + #ebtables -D OUTPUT -o $INTERFACE -j $TO + + ebtables -X $FROM + ebtables -X $TO +} + + +function clear_nfdhcpd { + + rm $NFDHCPD_STATE_DIR/$INTERFACE + +} + + +function routed_setup_ipv4 { + + # mangle ARPs to come from the gw's IP + arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY" + + # route interface to the proper routing table + ip rule add dev $INTERFACE table $TABLE + + # static route mapping IP -> INTERFACE + ip route replace $IP proto static dev $INTERFACE table $TABLE + + # Enable proxy ARP + echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp +} + +function routed_setup_ipv6 { + # Add a routing entry for the eui-64 + prefix=$NETWORK_SUBNET6 + uplink=$(ip -6 route list table $TABLE | grep "default via" | awk '{print $5}') + eui64=$($MAC2EUI64 $MAC $prefix) + + + ip -6 rule add dev $INTERFACE table $TABLE + ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE + ip -6 neigh add proxy $eui64 dev $uplink + + # disable proxy NDP since we're handling this on userspace + # this should be the default, but better safe than sorry + echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp +} + +# pick a firewall profile per NIC, based on tags (and apply it) +function routed_setup_firewall { + ifprefix="synnefo:network:$INTERFACE_INDEX:" + for tag in $TAGS; do + case ${tag#$ifprefix} in + protected) + chain=protected + ;; + unprotected) + chain=unprotected + ;; + limited) + chain=limited + ;; + esac + done + + if [ "x$chain" != "x" ]; then + iptables -A FORWARD -o $INTERFACE -j $chain + ip6tables -A FORWARD -o $INTERFACE -j $chain + fi +} + +function init_ebtables { + + ebtables -N $FROM + ebtables -A FORWARD -i $INTERFACE -j $FROM + ebtables -N $TO + ebtables -A FORWARD -o $INTERFACE -j $TO + +} + + +function setup_ebtables { + + # do not allow changes in ip-mac pair + if [ -n "$IP"]; then + ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP + fi + ebtables -A $FROM -s \! $MAC -j DROP + #accept dhcp responses from host (nfdhcpd) + ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT + # allow only packets from the same mac prefix + ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP +} + +function setup_masq { + + # allow packets from/to router (for masquerading) + # ebtables -A $TO -s $NODE_MAC -j ACCEPT + # ebtables -A INPUT -i $INTERFACE -j $FROM + # ebtables -A OUTPUT -o $INTERFACE -j $TO + return + +} + +function setup_nfdhcpd { + umask 022 + FILE=$NFDHCPD_STATE_DIR/$INTERFACE + #IFACE is the interface from which the packet seems to arrive + #needed in bridged mode where the packets seems to arrive from the + #bridge and not from the tap + cat >$FILE </dev/null) +EOF + +} + diff --git a/kvm-vif-bridge b/kvm-vif-bridge index 543259b..fd970ad 100755 --- a/kvm-vif-bridge +++ b/kvm-vif-bridge @@ -3,172 +3,17 @@ # This is an example of a Ganeti kvm ifup script that configures network # interfaces based on the initial deployment of the Okeanos project -TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-) -MAC2EUI64=/usr/bin/mac2eui64 -NFDHCPD_STATE_DIR=/var/lib/nfdhcpd - -function clear_routed_setup_ipv4 { - - arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle - while ip rule del dev $INTERFACE; do :; done - iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP - -} - -function clear_routed_setup_ipv6 { - - while ip -6 rule del dev $INTERFACE; do :; done - -} - - -function clear_routed_setup_firewall { - - for oldchain in protected unprotected limited; do - iptables -D FORWARD -o $INTERFACE -j $oldchain - ip6tables -D FORWARD -o $INTERFACE -j $oldchain - done - -} - -function clear_ebtables { - - ebtables -D FORWARD -i $TAP -j $FROM - ebtables -D FORWARD -o $TAP -j $TO - #ebtables -D OUTPUT -o $TAP -j $TO - - ebtables -X $FROM - ebtables -X $TO -} - - -function clear_nfdhcpd { - - rm $NFDHCPD_STATE_DIR/$INTERFACE - -} - - -function routed_setup_ipv4 { - - # mangle ARPs to come from the gw's IP - arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY" - - # route interface to the proper routing table - ip rule add dev $INTERFACE table $TABLE - - # static route mapping IP -> INTERFACE - ip route replace $IP proto static dev $INTERFACE table $TABLE - - # Enable proxy ARP - echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp -} - -function routed_setup_ipv6 { - # Add a routing entry for the eui-64 - prefix=$NETWORK_SUBNET6 - uplink=$(ip -6 route list table $TABLE | grep "default via" | awk '{print $5}') - eui64=$($MAC2EUI64 $MAC $prefix) - - - ip -6 rule add dev $INTERFACE table $TABLE - ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE - ip -6 neigh add proxy $eui64 dev $uplink - - # disable proxy NDP since we're handling this on userspace - # this should be the default, but better safe than sorry - echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp -} - -# pick a firewall profile per NIC, based on tags (and apply it) -function routed_setup_firewall { - ifprefix="synnefo:network:$INTERFACE_INDEX:" - for tag in $TAGS; do - case ${tag#$ifprefix} in - protected) - chain=protected - ;; - unprotected) - chain=unprotected - ;; - limited) - chain=limited - ;; - esac - done - - if [ "x$chain" != "x" ]; then - iptables -A FORWARD -o $INTERFACE -j $chain - ip6tables -A FORWARD -o $INTERFACE -j $chain - fi -} - -function init_ebtables { - - ebtables -N $FROM - ebtables -A FORWARD -i $TAP -j $FROM - ebtables -N $TO - ebtables -A FORWARD -o $TAP -j $TO - -} - - -function setup_ebtables { - - # do not allow changes in ip-mac pair - if [ -n "$IP"]; then - ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP - fi - ebtables -A $FROM -s \! $MAC -j DROP - #accept dhcp responses from host (nfdhcpd) - ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT - # allow only packets from the same mac prefix - ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP -} - -function setup_masq { - - # allow packets from/to router (for masquerading) - # ebtables -A $TO -s $NODE_MAC -j ACCEPT - # ebtables -A INPUT -i $TAP -j $FROM - # ebtables -A OUTPUT -o $TAP -j $TO - return - -} - -function setup_nfdhcpd { - umask 022 - FILE=$NFDHCPD_STATE_DIR/$INTERFACE - #IFACE is the interface from which the packet seems to arrive - #needed in bridged mode where the packets seems to arrive from the - #bridge and not from the tap - cat >$FILE </dev/null) -EOF - -} - - source /etc/default/snf-network +source /usr/lib/snf-network/common.sh -TAP=$INTERFACE -FROM=FROM${TAP^^} -TO=TO${TAP^^} +FROM=FROM${INTERFACE^^} +TO=TO${INTERFACE^^} -clear_routed_setup_ipv4 > /dev/null 2>&1 -clear_routed_setup_ipv6 > /dev/null 2>&1 -clear_routed_setup_firewall > /dev/null 2>&1 -clear_ebtables > /dev/null 2>&1 -clear_nfdhcpd > /dev/null 2>&1 +try clear_routed_setup_ipv4 +try clear_routed_setup_ipv6 +try clear_routed_setup_firewall +try clear_ebtables +try clear_nfdhcpd if [ "$MODE" = "routed" ]; then TABLE=$LINK @@ -179,7 +24,7 @@ elif [ "$MODE" = "bridged" ]; then ip link set $INTERFACE up brctl addif $BRIDGE $INTERFACE INDEV=$BRIDGE - init_ebtables > /dev/null 2>&1 + try init_ebtables DROPDHCPREQCMD="ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP" fi @@ -187,20 +32,20 @@ fi for tag in $NETWORK_TAGS; do case $tag in $IP_LESS_ROUTED_TAG) - routed_setup_ipv4 > /dev/null 2>&1 - routed_setup_ipv6 > /dev/null 2>&1 - routed_setup_firewall > /dev/null 2>&1 + try routed_setup_ipv4 + try routed_setup_ipv6 + try routed_setup_firewall ;; $NFDHCPD_TAG) # Drop unicast BOOTP/DHCP packets - $DROPDHCPREQCMD > /dev/null 2>&1 - setup_nfdhcpd > /dev/null 2>&1 + $DROPDHCPREQCMD + try setup_nfdhcpd ;; $MAC_FILTERED_TAG) - setup_ebtables > /dev/null 2>&1 + try setup_ebtables ;; $MASQ_TAG) - setup_masq > /dev/null 2>&1 + try setup_masq ;; esac done diff --git a/vif-custom b/vif-custom new file mode 100755 index 0000000..597d7fe --- /dev/null +++ b/vif-custom @@ -0,0 +1,63 @@ +#!/bin/bash + + +dir=$(dirname "$0") +. "$dir"/vif-common.sh + +source /etc/default/snf-network +source /usr/lib/snf-network/common.sh + +domname=$(xm domname $domid) + +source $GANETI_NIC_DIR/$domname/$devid + +INTERFACE=$dev +INSTANCE=$domname + +FROM=FROM${INTERFACE^^} +TO=TO${INTERFACE^^} + + +try clear_routed_setup_ipv4 +try clear_routed_setup_ipv6 +try clear_routed_setup_firewall +try clear_ebtables +try clear_nfdhcpd + +if [ "$MODE" = "routed" ]; then + TABLE=$LINK + ip link set $INTERFACE up + success + INDEV=$INTERFACE + DROPDHCPREQCMD="iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP" +elif [ "$MODE" = "bridged" ]; then + ip link set $INTERFACE up + BRIDGE=$(xenstore_read_default "$XENBUS_PATH/bridge" "$LINK") + brctl addif $BRIDGE $INTERFACE + success + INDEV=$BRIDGE + try init_ebtables + DROPDHCPREQCMD="ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP" +fi + + +for tag in $NETWORK_TAGS; do + case $tag in + $IP_LESS_ROUTED_TAG) + try routed_setup_ipv4 + try routed_setup_ipv6 + try routed_setup_firewall + ;; + $NFDHCPD_TAG) + # Drop unicast BOOTP/DHCP packets + $DROPDHCPREQCMD + try setup_nfdhcpd + ;; + $MAC_FILTERED_TAG) + try setup_ebtables + ;; + $MASQ_TAG) + try setup_masq + ;; + esac +done