summary |
shortlog | log |
commit |
commitdiff |
tree
first ⋅ prev ⋅ next
Dimitris Aragriorgs [Thu, 6 Sep 2012 09:52:17 +0000 (12:52 +0300)]
Merge branch 'snf-master' into snf-debian
Dimitris Aragriorgs [Thu, 6 Sep 2012 09:11:09 +0000 (12:11 +0300)]
Remove rm -f pidfile
If exists a locking timeout it generated.
Signed-off-by: Dimitris Aragriorgs <dimara@grnet.gr>
Dimitris Aragriorgs [Wed, 5 Sep 2012 12:02:53 +0000 (15:02 +0300)]
Fix previous commit concerning pidfile
Signed-off-by: Dimitris Aragriorgs <dimara@grnet.gr>
Stratos Psomadakis [Wed, 5 Sep 2012 11:31:11 +0000 (14:31 +0300)]
Catch IPy exceptions for invalid networks/subnets
Signed-off-by: Stratos Psomadakis <psomas@grnet.gr>
Dimitris Aragriorgs [Thu, 30 Aug 2012 19:32:54 +0000 (22:32 +0300)]
Remove stale pid lock file
Signed-off-by: Dimitris Aragriorgs <dimara@grnet.gr>
Dimitris Aragiorgis [Tue, 7 Aug 2012 17:35:23 +0000 (20:35 +0300)]
In case of make_ll64 fails return
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Tue, 7 Aug 2012 15:15:47 +0000 (18:15 +0300)]
Add try: except: in places of possible exceptions
pkt.lladdr
ns.lladdr
sendp
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Tue, 7 Aug 2012 14:38:11 +0000 (17:38 +0300)]
Refactor nfdhcpd to support get_physindev()
If get_physindev is supported in nfqueue then the clients are indexed
by their tap ifindex. If not then clients are indexed by their macs.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Mon, 6 Aug 2012 13:41:42 +0000 (16:41 +0300)]
Add nice debug messages for nfdhcpd clients
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Thu, 26 Jul 2012 17:00:42 +0000 (20:00 +0300)]
Add ferm dependency
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Sat, 21 Jul 2012 09:20:24 +0000 (12:20 +0300)]
Remove iptables from init scripts
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Sat, 21 Jul 2012 09:18:34 +0000 (12:18 +0300)]
Change ferm
Mangle packets comming from tap+ and prv+ devices
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Thu, 19 Jul 2012 16:18:51 +0000 (19:18 +0300)]
Reapply option for serving domain
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Thu, 5 Jul 2012 15:24:59 +0000 (18:24 +0300)]
Remove mac2eui64 and refactor debian dir
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Tue, 3 Jul 2012 10:59:11 +0000 (13:59 +0300)]
Change debian/changelog
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Tue, 3 Jul 2012 10:34:57 +0000 (13:34 +0300)]
Add debug option
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Tue, 3 Jul 2012 10:33:00 +0000 (13:33 +0300)]
init.d changes
We manage mangle rules when starting/stoping nfdhcpd
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Tue, 3 Jul 2012 10:18:17 +0000 (13:18 +0300)]
Change nfdhcpd.ferm to support bridged clients
Mangle packets comming from all interfaces and not only from taps
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Tue, 3 Jul 2012 10:17:55 +0000 (13:17 +0300)]
Change nameservers in nfdhcpd.conf
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Tue, 3 Jul 2012 10:13:54 +0000 (13:13 +0300)]
Refactor nfdhcp
Get all info from binding file. Do not parse routing tables. Keep
track of clients depending on their mac. Support clients connected
on bridges. Insteed of patching NFQUEUE add new slot in bindings
that shows the physical device the incomming request originates (tap).
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Dimitris Aragiorgis [Tue, 3 Jul 2012 10:00:39 +0000 (13:00 +0300)]
Add debian/gbp.conf for git-buildpackage
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Costas Drogos [Tue, 3 Apr 2012 13:44:10 +0000 (16:44 +0300)]
Move pidfile under /var/run/nfdhcpd
Fix permission error for unprivileged server when trying to remove pidfile
on exit, move pidfile under /var/run/nfdhcpd, modify initscript
accordingly.
Signed-off-by: Vangelis Koukis <vkoukis@grnet.gr>
Costas Drogos [Tue, 3 Apr 2012 13:43:48 +0000 (16:43 +0300)]
Merge branch 'master' into debian
Costas Drogos [Tue, 3 Apr 2012 13:35:30 +0000 (16:35 +0300)]
Changed pidfile location in configfile by vkoukis
Costas Drogos [Mon, 2 Apr 2012 07:44:05 +0000 (10:44 +0300)]
Debian Changelog for 0.6+nmu1
Costas Drogos [Mon, 2 Apr 2012 07:20:58 +0000 (10:20 +0300)]
Merge branch 'master' into debian
Costas Drogos [Mon, 2 Apr 2012 06:57:28 +0000 (09:57 +0300)]
Small typo introduced on
df3e8face1cf
Costas Drogos [Tue, 27 Mar 2012 22:28:41 +0000 (01:28 +0300)]
Option for serving domain from nfdhcpd to clients
On some occasions the clients do not send an fqdn as hostname,
so another way to send a domain is needed.
For that, a new optional config directive is introduced, called
"domain", as a way to hardcode the domain we serve.
If this directive is not defined, the traditional
'find domain through hostname' technique is used.
Costas Drogos [Tue, 27 Mar 2012 22:19:17 +0000 (01:19 +0300)]
Revert "Option for serving domain from nfdhcpd to clients"
This reverts commit
99915273041fc33631d34858a6e6b315492b8f84.
Should commit to master first.
Costas Drogos [Fri, 23 Mar 2012 09:50:26 +0000 (11:50 +0200)]
Option for serving domain from nfdhcpd to clients
On some occasions the clients do not send an fqdn as hostname,
so another way to send a domain is needed.
For that, a new optional config directive is introduced, called
"domain", as a way to hardcode the domain we serve.
If this directive is not defined, the traditional
'find domain through hostname' technique is used.
Faidon Liambotis [Wed, 12 Oct 2011 14:41:54 +0000 (17:41 +0300)]
Merge branch 'master' into debian
Faidon Liambotis [Wed, 12 Oct 2011 14:38:03 +0000 (17:38 +0300)]
mac2eui64: exit on an invalid IPv6 prefix
Vangelis Koukis [Wed, 7 Sep 2011 11:53:17 +0000 (14:53 +0300)]
Handle pidfile properly, redirect stderr in daemon
Handle pidfile creation properly, as part of daemonization process.
Parse config file and setup logging before daemonization.
Redirect stderr to logfile upon daemonization, otherwise numerous
unexpected exceptions get lost.
Apollon Oikonomopoulos [Wed, 12 Oct 2011 14:34:43 +0000 (17:34 +0300)]
Add mac2eui64 utility
Apollon Oikonomopoulos [Wed, 12 Oct 2011 14:33:32 +0000 (17:33 +0300)]
Adapt debian/changelog for the 0.5 release
* Enable logging of unhandled exceptions
* Do not send periodic RAs on IPv6-less interfaces
* Ignore requests on unknown interfaces
Apollon Oikonomopoulos [Mon, 20 Jun 2011 13:32:33 +0000 (16:32 +0300)]
Add debian/ tree
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 3 Jun 2011 09:10:50 +0000 (12:10 +0300)]
Enable logging of unhandled exceptions
Use the traceback module to log unhandled exceptions to the logfile when
running as a daemon.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 3 Jun 2011 08:50:34 +0000 (11:50 +0300)]
Do not send periodic RAs on IPv6-less interfaces
Ignore interfaces with no IPv6 subnets on the respective routing tables and log
a debug message.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 3 Jun 2011 08:45:03 +0000 (11:45 +0300)]
Ignore requests on unknown interfaces
We ignore requests on interfaces we don't have any information about.
Furthermore, we set a verdict of ACCEPT on these packets and let the kernel
handle them.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Tue, 22 Mar 2011 17:41:40 +0000 (19:41 +0200)]
Ignore link-local IPv6 routing table entries
If we have a client on the "main" routing table, then we must ignore all IPv6
link-local subnet declarations that appear in this routing table, possibly
"masking out" the intended network route.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 21 Mar 2011 20:06:29 +0000 (22:06 +0200)]
Small fixes to kvm-vif-bridge
Update kvm-vif-bridge to use mac2eui64 and also fix default nfdhcpd paths.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 21 Mar 2011 20:04:02 +0000 (22:04 +0200)]
Add simple mac2eui64 utility
Add a small utility to generate EUI-64 addresses from MAC-48 + IPv6 prefix.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 21 Mar 2011 19:46:19 +0000 (21:46 +0200)]
Fix error handling during binding file parsing
In case something went wrong during parse_binding_file, return None instead
of an obsolete tuple.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 14 Mar 2011 12:20:22 +0000 (14:20 +0200)]
Clean up resources upon exit
Wrap the main loop in a try..finally statement, calling our cleanup handler to
free all obtained resources.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 14 Mar 2011 11:58:42 +0000 (13:58 +0200)]
Handle the AF_PACKET socket instead of using scapy
Implement our own sendp() method, which has the following benefits:
* Keep a single socket and re-use it for all outgoing packets
* Speed up send operations by 2x
* Get rid of CAP_NET_RAW as we setup the socket during initialization
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 11 Mar 2011 15:26:13 +0000 (17:26 +0200)]
Also keep CAP_NET_ADMIN for nfqueue verdicts
This is needed for nfqueue to work properly. Without this, the kernel
never acknowledges the verdicts we set, the queue fills up and the
kernel drops packets. Worst of all, this happens completely silently.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 11 Mar 2011 13:02:46 +0000 (15:02 +0200)]
Fix nasty typo in parse_routing_table
It was meant to be re.group and not re.group*s* all along.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 11 Mar 2011 12:41:48 +0000 (14:41 +0200)]
Disable pylint warning for inotify handler methods
The name form for these methods is mandated by pyinotify itself,
so there's nothing we can do about it.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 11 Mar 2011 12:41:25 +0000 (14:41 +0200)]
Add pylintrc
Blatantly copy ganeti's pylintrc as a base for our own.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 11 Mar 2011 12:28:29 +0000 (14:28 +0200)]
Rename nfdhcp.ferm to nfdhcpd.ferm
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 11 Mar 2011 12:25:02 +0000 (14:25 +0200)]
Major code refactoring
Refactor code to meet pylint's recommendations
* Pass format string arguments as such in logging functions
* Move parse_binding_file and parse_routing_table to top-level functions
* Clean-up imports
* Update docstrings
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 11 Mar 2011 11:12:49 +0000 (13:12 +0200)]
Fix typo (vaildate -> validate)
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 11 Mar 2011 11:11:55 +0000 (13:11 +0200)]
Code refactoring to remove overlong lines
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 11 Mar 2011 11:08:48 +0000 (13:08 +0200)]
Improve error handling
Catch and handle specific exception families where possible and provide
additional information.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 3 Dec 2010 14:00:43 +0000 (16:00 +0200)]
Merge previous changes
Conflicts:
nfdhcpd: merge
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 3 Dec 2010 13:55:46 +0000 (15:55 +0200)]
Implement IPv6 RDNSS
Add support for ICMPv6 RDNSS (RFC 5006) to advertise DNS servers over ICMPv6
router advertisements.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 3 Dec 2010 13:54:59 +0000 (15:54 +0200)]
DHCP: use nameservers from config
Use the DNS servers from the config file for DHCP replies.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 3 Dec 2010 13:34:47 +0000 (15:34 +0200)]
Disable sending periodic RAs when IPv6 is disabled
Disabling IPv6 from the configuration file causes the server to not respond to
NS and RS, however it still tried to send out periodic RAs (which was a noop).
We explicitly set the timeout of select() to None to avoid this, when IPv6 is
disabled.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 3 Dec 2010 13:24:13 +0000 (15:24 +0200)]
Add configurationf file validation
Add a specification of the configuration file and runtime validation, using
configobj's validate.Validator and custom checks for the nameserver lists.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 3 Dec 2010 12:25:47 +0000 (14:25 +0200)]
Add configuration file support
Add configuration file parsing using python-configobj. All command line options
except -d and -f have been moved to the configuration file.
A sample configuration file with all accepted options has been added as well.
Warning: validation and type casting is still missing.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Tue, 16 Nov 2010 17:20:27 +0000 (19:20 +0200)]
Open the logfile after changing uid and set umask
Set the process' umask in daemon.DaemonContext to 0022 (default was
0).
Open the logfile after dropping privileges, so that it is created with
proper perimissions (this also ensures that log rotation will work).
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Tue, 16 Nov 2010 13:31:06 +0000 (15:31 +0200)]
Refactor the main loop code and increase RA period
Increase RA period to 300s by default
Refactor the main loop to check only once for timeout expiration. This
fixes spurious RA emission because we forgot to properly reset the
start timer.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 15 Nov 2010 19:13:40 +0000 (21:13 +0200)]
Use a separate thread for periodic RAs
Periodic RAs can take a _long_ time with many interfaces. The bottleneck
seems to lie in bind() send send() with AF_PACKET sockets. So, we spawn
a separate thread to be able to handle requests in the mean time.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 15 Nov 2010 19:12:08 +0000 (21:12 +0200)]
Gracefully handle ICMPv6 NS w/o SrcLLAddr option
Neighbour solicitations sent during interface configuration do not
include a Source Link-Layer Address option. We ignore them as we
shouldn't (and can't) reply anyway.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 15 Nov 2010 18:22:20 +0000 (20:22 +0200)]
Warn on NFQUEUE exception
Warn if anything goes wrong during select()
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 15 Nov 2010 18:21:58 +0000 (20:21 +0200)]
Whitespace cleanup
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 15 Nov 2010 18:20:43 +0000 (20:20 +0200)]
Gracefully handle dead interfaces on periodic RA
Remove any interfaces that are not there during periodic RA emission.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 15 Nov 2010 10:50:59 +0000 (12:50 +0200)]
Rename nfdhcp.py to nfdhcpd
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Mon, 15 Nov 2010 10:35:13 +0000 (12:35 +0200)]
Add sample ferm rules
Add rules for the ferm firewall management framework.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Sat, 13 Nov 2010 22:42:35 +0000 (00:42 +0200)]
Properly calculate the new timeout for select()
The elapsed time did not take into account the time needed to actually
send the RAs (which currently with scapy is long enough).
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Sat, 13 Nov 2010 12:02:51 +0000 (14:02 +0200)]
Added periodic RA functionality
The daemon now sends out ICMPv6 RAs periodically (every 30s)
to all configured interfaces.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 12 Nov 2010 16:01:44 +0000 (18:01 +0200)]
Add sample kvm-vif-bridge for use with ganeti
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 12 Nov 2010 15:59:42 +0000 (17:59 +0200)]
Proxy NDP support
Proxy all ICMPv6 Neighbor Solicitations on behalf of the connected
clients.
Signed-off-by: root <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 12 Nov 2010 13:05:48 +0000 (15:05 +0200)]
ICMPv6 RA support
The daemon now listens for router solicitations on a dedicated NFQUEUE
and responds with the appropriate router adverisement as needed.
TODO: implement periodic RAs
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 12 Nov 2010 11:56:34 +0000 (13:56 +0200)]
Namespace changes to facilitate DHCP/RA merging
Changes required to merge ICMPv6 RA functionality.
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Apollon Oikonomopoulos [Fri, 12 Nov 2010 11:29:03 +0000 (13:29 +0200)]
Initial commit: nfdhcp.py
Promiscuous DHCP with NFQUEUE support
Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>