Synnefo » snf-network

docs/_build

# Makefile for Sphinx documentation

#

# You can set these variables from the command line.

SPHINXOPTS    =

SPHINXBUILD   = sphinx-build

PAPER         =

BUILDDIR      = _build

# Internal variables.

PAPEROPT_a4     = -D latex_paper_size=a4

PAPEROPT_letter = -D latex_paper_size=letter

ALLSPHINXOPTS   = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .

# the i18n builder cannot share the environment and doctrees with the others

I18NSPHINXOPTS  = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .

.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext

help:

	@echo "Please use \`make <target>' where <target> is one of"

	@echo "  html       to make standalone HTML files"

	@echo "  dirhtml    to make HTML files named index.html in directories"

	@echo "  singlehtml to make a single large HTML file"

	@echo "  pickle     to make pickle files"

	@echo "  json       to make JSON files"

	@echo "  htmlhelp   to make HTML files and a HTML help project"

	@echo "  qthelp     to make HTML files and a qthelp project"

	@echo "  devhelp    to make HTML files and a Devhelp project"

	@echo "  epub       to make an epub"

	@echo "  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter"

	@echo "  latexpdf   to make LaTeX files and run them through pdflatex"

	@echo "  text       to make text files"

	@echo "  man        to make manual pages"

	@echo "  texinfo    to make Texinfo files"

	@echo "  info       to make Texinfo files and run them through makeinfo"

	@echo "  gettext    to make PO message catalogs"

	@echo "  changes    to make an overview of all changed/added/deprecated items"

	@echo "  linkcheck  to check all external links for integrity"

	@echo "  doctest    to run all doctests embedded in the documentation (if enabled)"

clean:

	-rm -rf $(BUILDDIR)/*

html:

	$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html

	@echo

	@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."

dirhtml:

	$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml

	@echo

	@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."

singlehtml:

	$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml

	@echo

	@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."

pickle:

	$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle

	@echo

	@echo "Build finished; now you can process the pickle files."

json:

	$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json

	@echo

	@echo "Build finished; now you can process the JSON files."

htmlhelp:

	$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp

	@echo

	@echo "Build finished; now you can run HTML Help Workshop with the" \

	      ".hhp project file in $(BUILDDIR)/htmlhelp."

qthelp:

	$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp

	@echo

	@echo "Build finished; now you can run "qcollectiongenerator" with the" \

	      ".qhcp project file in $(BUILDDIR)/qthelp, like this:"

	@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/snf-network.qhcp"

	@echo "To view the help file:"

	@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/snf-network.qhc"

devhelp:

	$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp

	@echo

	@echo "Build finished."

	@echo "To view the help file:"

	@echo "# mkdir -p $$HOME/.local/share/devhelp/snf-network"

	@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/snf-network"

	@echo "# devhelp"

epub:

	$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub

	@echo

	@echo "Build finished. The epub file is in $(BUILDDIR)/epub."

latex:

	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex

	@echo

	@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."

	@echo "Run \`make' in that directory to run these through (pdf)latex" \

	      "(use \`make latexpdf' here to do that automatically)."

latexpdf:

	$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex

	@echo "Running LaTeX files through pdflatex..."

	$(MAKE) -C $(BUILDDIR)/latex all-pdf

	@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."

text:

	$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text

	@echo

	@echo "Build finished. The text files are in $(BUILDDIR)/text."

man:

	$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man

	@echo

	@echo "Build finished. The manual pages are in $(BUILDDIR)/man."

texinfo:

	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo

	@echo

	@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."

	@echo "Run \`make' in that directory to run these through makeinfo" \

	      "(use \`make info' here to do that automatically)."

info:

	$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo

	@echo "Running Texinfo files through makeinfo..."

	make -C $(BUILDDIR)/texinfo info

	@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."

gettext:

	$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale

	@echo

	@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."

changes:

	$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes

	@echo

	@echo "The overview file is in $(BUILDDIR)/changes."

linkcheck:

	$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck

	@echo

	@echo "Link check complete; look for any errors in the above output " \

	      "or in $(BUILDDIR)/linkcheck/output.txt."

doctest:

	$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest

	@echo "Testing of doctests in the sources finished, look at the " \

	      "results in $(BUILDDIR)/doctest/output.txt."

# -*- coding: utf-8 -*-

#

# snf-network documentation build configuration file, created by

# sphinx-quickstart on Mon Jan 20 18:25:17 2014.

#

# This file is execfile()d with the current directory set to its containing dir.

#

# Note that not all possible configuration values are present in this

# autogenerated file.

#

# All configuration values have a default; values that are commented out

# serve to show the default.

import sys, os

# If extensions (or modules to document with autodoc) are in another directory,

# add these directories to sys.path here. If the directory is relative to the

# documentation root, use os.path.abspath to make it absolute, like shown here.

#sys.path.insert(0, os.path.abspath('.'))

# -- General configuration -----------------------------------------------------

# If your documentation needs a minimal Sphinx version, state it here.

#needs_sphinx = '1.0'

# Add any Sphinx extension module names here, as strings. They can be extensions

# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.

extensions = ['sphinx.ext.autodoc', 'sphinx.ext.doctest', 'sphinx.ext.intersphinx', 'sphinx.ext.todo', 'sphinx.ext.coverage', 'sphinx.ext.pngmath', 'sphinx.ext.ifconfig', 'sphinx.ext.viewcode']

# Add any paths that contain templates here, relative to this directory.

templates_path = ['_templates']

# The suffix of source filenames.

source_suffix = '.rst'

# The encoding of source files.

#source_encoding = 'utf-8-sig'

# The master toctree document.

master_doc = 'index'

# General information about the project.

project = u'snf-network'

copyright = u'2010-2013, GRNET S.A. All rights reserved'

# The version info for the project you're documenting, acts as replacement for

# |version| and |release|, also used in various other places throughout the

# built documents.

#

# The short X.Y version.

version = '0.12'

# The full version, including alpha/beta/rc tags.

release = '0.12.2'

# The language for content autogenerated by Sphinx. Refer to documentation

# for a list of supported languages.

#language = None

# There are two options for replacing |today|: either, you set today to some

# non-false value, then it is used:

#today = ''

# Else, today_fmt is used as the format for a strftime call.

#today_fmt = '%B %d, %Y'

# List of patterns, relative to source directory, that match files and

# directories to ignore when looking for source files.

exclude_patterns = ['_build']

# The reST default role (used for this markup: `text`) to use for all documents.

#default_role = None

# If true, '()' will be appended to :func: etc. cross-reference text.

#add_function_parentheses = True

# If true, the current module name will be prepended to all description

# unit titles (such as .. function::).

#add_module_names = True

# If true, sectionauthor and moduleauthor directives will be shown in the

# output. They are ignored by default.

#show_authors = False

# The name of the Pygments (syntax highlighting) style to use.

pygments_style = 'sphinx'

# A list of ignored prefixes for module index sorting.

#modindex_common_prefix = []

# -- Options for HTML output ---------------------------------------------------

# The theme to use for HTML and HTML Help pages.  See the documentation for

# a list of builtin themes.

html_theme = 'default'

# Theme options are theme-specific and customize the look and feel of a theme

# further.  For a list of options available for each theme, see the

# documentation.

html_theme_options = {

           'collapsiblesidebar': 'true',

           'footerbgcolor':    '#55b577',

           'footertextcolor':  '#000000',

           'sidebarbgcolor':   '#ffffff',

           'sidebarbtncolor':  '#f2f2f2',

           'sidebartextcolor': '#000000',

           'sidebarlinkcolor': '#328e4a',

           'relbarbgcolor':    '#55b577',

           'relbartextcolor':  '#ffffff',

           'relbarlinkcolor':  '#ffffff',

           'bgcolor':          '#ffffff',

           'textcolor':        '#000000',

           'headbgcolor':      '#ffffff',

           'headtextcolor':    '#000000',

           'headlinkcolor':    '#c60f0f',

           'linkcolor':        '#328e4a',

           'visitedlinkcolor': '#63409b',

           'codebgcolor':      '#eeffcc',

           'codetextcolor':    '#333333'

}

# Add any paths that contain custom themes here, relative to this directory.

#html_theme_path = []

# The name for this set of Sphinx documents.  If None, it defaults to

# "<project> v<release> documentation".

#html_title = None

# A shorter title for the navigation bar.  Default is the same as html_title.

#html_short_title = None

# The name of an image file (relative to this directory) to place at the top

# of the sidebar.

#html_logo = None

# The name of an image file (within the static path) to use as favicon of the

# docs.  This file should be a Windows icon file (.ico) being 16x16 or 32x32

# pixels large.

#html_favicon = None

# Add any paths that contain custom static files (such as style sheets) here,

# relative to this directory. They are copied after the builtin static files,

# so a file named "default.css" will overwrite the builtin "default.css".

html_static_path = ['_static']

# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,

# using the given strftime format.

#html_last_updated_fmt = '%b %d, %Y'

# If true, SmartyPants will be used to convert quotes and dashes to

# typographically correct entities.

#html_use_smartypants = True

# Custom sidebar templates, maps document names to template names.

#html_sidebars = {}

# Additional templates that should be rendered to pages, maps page names to

# template names.

#html_additional_pages = {}

# If false, no module index is generated.

#html_domain_indices = True

# If false, no index is generated.

#html_use_index = True

# If true, the index is split into individual pages for each letter.

#html_split_index = False

# If true, links to the reST sources are added to the pages.

#html_show_sourcelink = True

# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.

#html_show_sphinx = True

# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.

#html_show_copyright = True

# If true, an OpenSearch description file will be output, and all pages will

# contain a <link> tag referring to it.  The value of this option must be the

# base URL from which the finished HTML is served.

#html_use_opensearch = ''

# This is the file name suffix for HTML files (e.g. ".xhtml").

#html_file_suffix = None

# Output file base name for HTML help builder.

htmlhelp_basename = 'snf-networkdoc'

# -- Options for LaTeX output --------------------------------------------------

latex_elements = {

# The paper size ('letterpaper' or 'a4paper').

#'papersize': 'letterpaper',

# The font size ('10pt', '11pt' or '12pt').

#'pointsize': '10pt',

# Additional stuff for the LaTeX preamble.

#'preamble': '',

}

# Grouping the document tree into LaTeX files. List of tuples

# (source start file, target name, title, author, documentclass [howto/manual]).

latex_documents = [

  ('index', 'snf-network.tex', u'snf-network Documentation',

   u'Synnefo Development', 'manual'),

]

# The name of an image file (relative to this directory) to place at the top of

# the title page.

#latex_logo = None

# For "manual" documents, if this is true, then toplevel headings are parts,

# not chapters.

#latex_use_parts = False

# If true, show page references after internal links.

#latex_show_pagerefs = False

# If true, show URL addresses after external links.

#latex_show_urls = False

# Documents to append as an appendix to all manuals.

#latex_appendices = []

# If false, no module index is generated.

#latex_domain_indices = True

# -- Options for manual page output --------------------------------------------

# One entry per manual page. List of tuples

# (source start file, name, description, authors, manual section).

man_pages = [

    ('index', 'snf-network', u'snf-network Documentation',

     [u'Synnefo Development'], 1)

]

# If true, show URL addresses after external links.

#man_show_urls = False

# -- Options for Texinfo output ------------------------------------------------

# Grouping the document tree into Texinfo files. List of tuples

# (source start file, target name, title, author,

#  dir menu entry, description, category)

texinfo_documents = [

  ('index', 'snf-network', u'snf-network Documentation',

   u'Synnefo Development', 'snf-network', 'One line description of project.',

   'Miscellaneous'),

]

# Documents to append as an appendix to all manuals.

#texinfo_appendices = []

# If false, no module index is generated.

#texinfo_domain_indices = True

# How to display URL addresses: 'footnote', 'no', or 'inline'.

#texinfo_show_urls = 'footnote'

# If true, do not generate a @detailmenu in the "Top" node's menu.

#texinfo_no_detailmenu = False

# Example configuration for intersphinx: refer to the Python standard library.

intersphinx_mapping = {'http://docs.python.org/': None}

.. snf-network documentation master file, created by

   sphinx-quickstart on Wed Feb 12 20:00:16 2014.

   You can adapt this file completely to your liking, but it should at least

   contain the root `toctree` directive.

Welcome to snf-network's documentation!

=======================================

snf-network is a set of scripts that handle the network configuration of

an instance inside a Ganeti cluster. It takes advantange of the

variables that Ganeti exports to their execution environment and issue

all the necessary commands to ensure network connectivity to the instance

based on the requested setup.

Environment

-----------

Ganeti supports `IP pool management

<http://docs.ganeti.org/ganeti/master/html/design-network.html>`_

so that end-user can put instances inside networks and get all information

related to the network in scripts. Specifically the following options are

exported:

* IP

* MAC

* MODE

* LINK

are per NIC specific, whereas:

* NETWORK_SUBNET

* NETWORK_GATEWAY

* NETWORK_MAC_PREFIX

* NETWORK_TAGS

* NETWORK_SUBNET6

* NETWORK_GATEWAY6

are inherited by the network in which a NIC resides (optional).

Scripts

-------

The scripts can be devided into two categories:

1. The scripts that are invoked explicitly by Ganeti upon NIC creation.

2. The scripts that are invoked by Ganeti Hooks Manager before or after an

   opcode execution.

The first group has the exact NIC info that is about to be configured where

the latter one has the info of the whole instance. The big difference is that

instance configuration (from the master perspective) might vary or be total

different from the one that is currently running. The reason is that some

modifications can take place without hotplug.

kvm-ifup-custom

^^^^^^^^^^^^^^^

Ganeti upon instance startup and NIC hotplug creates the TAP devices to

reflect to the instance's NICs. After that it invokes the Ganeti's `kvm-ifup`

script with the TAP name as first argument and an environment including

all NIC's and the corresponding network's info. This script searches for

a user provided one under `/etc/ganeti/kvm-ifup-custom` and executes it

instead.

kvm-ifdown-custom

^^^^^^^^^^^^^^^^^

In order to cleanup or modify the node's setup or the configuration of an

external component, Ganeti upon instance shutdown, successful instance

migration on source node and NIC hot-unplug invokes `kvm-ifdown` script

with the TAP name as first argument and a boolean second argument pointing

whether we want to do local cleanup only (in case of instance migration) or

totally unconfigure the interface along with e.g., any DNS entries (in case

of NIC hot-unplug). This script searches for a user provided one under

`/etc/ganeti/kvm-ifdown-custom` and executes it instead.

vif-custom

^^^^^^^^^^

Ganeti provides a hypervisor parameter that defines the script to be executed

per NIC upon instance startup: `vif-script`. Ganeti provides `vif-ganeti` as

example script which executes `/etc/xen/scripts/vif-custom` if found.

snf-network-hook

^^^^^^^^^^^^^^^^

This hook gets all static info related to an instance from evironment variables

and issues any commands needed. It was used to fix node's setup upon migration

when ifdown script was not supported but now it does nothing.

snf-network-dnshook

^^^^^^^^^^^^^^^^^^^

This hook updates an external `DDNS <https://wiki.debian.org/DDNS>`_ setup via

``nsupdate``. Since we add/remove entries during ifup/ifdown scripts, we use

this only during instance remove/shutdown/rename. It does not rely on exported

environment but it queries first the DNS server to obtain current entries and

then it invokes the neccessary commands to remove them (and the relevant

reverse ones too).

Supported Setups

----------------

Currently since NICs in Ganeti are not taggable objects, we use network's and

instance's tags to customize each NIC configuration. NIC inherits the network's

tags (if attached to any) and further customization can be achieved with

instance tags e.g. <tag prefix>:<nic uuid or name>:<tag>. In the following

subsections we will mention all supported tags and their reflected underline

setup.

ip-less-routed

^^^^^^^^^^^^^^

This setup has the following characteristics:

* An external gateway on the same collition domain with all nodes on some

  interface (e.g. eth1, eth0.200) is needed.

* Each node is a router for the hostes VMs

* The node itself does not have an IP inside the routed network

* The node does proxy ARP for IPv4 networks

* The node does proxy NDP for IPv6 networks while RA and NA are

* RS and NS are served locally by

  `nfdhcpd <http://www.synnefo.org/docs/nfdhcpd/latest/index.html>`_

  since the VMs are not on the same link with the router.

Lets analyze a simple PING from an instance to an external IP using this setup.

We assume the following:

* ``IP`` is the instance's IP

* ``GW_IP`` is the external router's IP

* ``NODE_IP`` is the node's IP

* ``ARP_IP`` is a dummy IP inside the network needed for proxy ARP

* ``MAC`` is the instance's MAC

* ``TAP_MAC`` is the tap's MAC

* ``DEV_MAC`` is the host's DEV MAC

* ``GW_MAC`` is the external router's MAC

* ``DEV`` is the node's device that the router is visible from

* ``TAP`` is the host interface connected with the instance's eth0

Since we suppose to be on the same link with the router, ARP takes place first:

1) The VM wants to know the GW_MAC. Since the traffic is routed we do proxy ARP.

 - ARP, Request who-has GW_IP tell IP

 - ARP, Reply GW_IP is-at TAP_MAC ``echo 1 > /proc/sys/net/conf/TAP/proxy_arp``

 - So `arp -na` insided the VM shows: ``(GW_IP) at TAP_MAC [ether] on eth0``

2) The host wants to know the GW_MAC. Since the node does **not** have an IP

   inside the network we use the dummy one specified above.

 - ARP, Request who-has GW_IP tell ARP_IP (Created by DEV)

   ``arptables -I OUTPUT -o DEV --opcode 1 -j mangle --mangle-ip-s ARP_IP``

 - ARP, Reply GW_IP is-at GW_MAC

3) The host wants to know MAC so that it can proxy it.

 - We simulate here that the VM sees **only** GW on the link.

 - ARP, Request who-has IP tell GW_IP (Created by TAP)

   ``arptables -I OUTPUT -o TAP --opcode 1 -j mangle --mangle-ip-s GW_IP``

 - So `arp -na` inside the host shows:

   ``(GW_IP) at GW_MAC [ether] on DEV, (IP) at MAC on TAP``

4) GW wants to know who does proxy for IP.

 - ARP, Request who-has IP tell GW_IP

 - ARP, Reply IP is-at DEV_MAC (Created by host's DEV)

With the above we have a working proxy ARP configuration. The rest is done

via simple L3 routing. Lets assume the following:

* ``TABLE`` is the extra routing table

* ``SUBNET`` is the IPv4 subnet where the VM's IP reside

1) Outgoing traffic:

 - Traffic coming out of TAP is routed via TABLE

   ``ip rule add dev TAP table TABLE``

 - TABLE states that default route is GW_IP via DEV

   ``ip route add default via GW_IP dev DEV``

2) Incoming traffic:

 - Packet arrives at router

 - Router knows from proxy ARP that the IP is at DEV_MAC.

 - Router sends ethernet packet with tgt DEV_MAC

 - Host receives the packet from DEV interface

 - Traffic coming out DEV is routed via TABLE

   ``ip rule add dev DEV table TABLE``

 - Traffic targeting IP is routed to TAP

   ``ip route add IP dev TAP``

3) Host to VM traffic:

 - Impossible if the VM resides in the host

 - Otherwise there is a route for it: ``ip route add SUBNET dev DEV``

The IPv6 setup is pretty similar but instead of proxy ARP we have proxy NDP

and RS and NS coming from TAP are served by nfdhpcd. RA contain network's

prefix and has M flag unset in order the VM to obtain its IP6 via SLAAC and

O flag set to obtain static info (nameservers, domain search list) via DHCPv6

(also served by nfdhcpd).

Again the VM sees on its link local only TAP which is supposed to be the

Router. The host does proxy for IP6 ``ip -6 neigh add EUI64 dev DEV``.

When an interface gets up inside a host we should invalidate all entries

related to its IP among other nodes and the router. For proxy ARP we do

``arpsend -U -c 1 -i IP DEV`` and for proxy NDP we do ``ndsend EUI64 DEV``

private-filtered

^^^^^^^^^^^^^^^^

In order to provide L2 isolation among several VMs we can use ebtables on a

**single** bridge. The infrastracture must provide a physical VLAN or separate

interaface shared among all nodes in the cluster. All virtual interfaces will

be bridged on a common bridge (e.g. ``prv0``) and filtering will be done via

ebtables and MAC prefix. The concept is that all interfaces on the same L2

should have the same MAC prefix. MAC prefix uniqueness is quaranteed by

synnefo and passed to Ganeti as a network option.

To ensure isolation we should allow traffic coming from tap to have specific

source MAC and at the same time allow traffic coming to tap to have a source

MAC in the same MAC prefix. Applying those rules only in FORWARD chain will not

guarantee isolation. The reason is because packets with target MAC a `mutlicast

address <http://en.wikipedia.org/wiki/Multicast_address>`_ go through INPUT and

OUTPUT chains. To sum up the following ebtables rules are applied:

.. code-block:: console

  # Create new chains

  ebtables -t filter -N FROMTAP5

  ebtables -t filter -N TOTAP5

  # Filter multicast traffic from VM

  ebtables -t filter -A INPUT -i tap5 -j FROMTAP5

  # Filter multicast traffic to VM

  ebtables -t filter -A OUTPUT -o tap5 -j TOTAP5

  # Filter traffic from VM

  ebtables -t filter -A FORWARD -i tap5 -j FROMTAP5

  # Filter traffic to VM

  ebtables -t filter -A FORWARD -o tap5 -j TOTAP5

  # Allow only specific src MAC for outgoing traffic

  ebtables -t filter -A FROMTAP5 -s ! aa:55:66:1a:ae:82 -j DROP

  # Allow only specific src MAC prefix for incoming traffic

  ebtables -t filter -A TOTAP5 -s ! aa:55:60:0:0:0/ff:ff:f0:0:0:0 -j DROP

dns

^^^

snf-network can update an external `DDNS <https://wiki.debian.org/DDNS>`_

server.  `ifup` and `ifdown` scripts, if `dns` network tag is found, will use

`nsupdate` and add/remove entries related to the interface that is being

managed.

Contents:

.. toctree::

   :maxdepth: 2

Indices and tables

==================

* :ref:`genindex`

* :ref:`modindex`

* :ref:`search`

@ECHO OFF

REM Command file for Sphinx documentation

if "%SPHINXBUILD%" == "" (

	set SPHINXBUILD=sphinx-build

)

set BUILDDIR=_build

set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% .

set I18NSPHINXOPTS=%SPHINXOPTS% .

if NOT "%PAPER%" == "" (

	set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS%

	set I18NSPHINXOPTS=-D latex_paper_size=%PAPER% %I18NSPHINXOPTS%

)

if "%1" == "" goto help

if "%1" == "help" (

	:help

	echo.Please use `make ^<target^>` where ^<target^> is one of

	echo.  html       to make standalone HTML files

	echo.  dirhtml    to make HTML files named index.html in directories

	echo.  singlehtml to make a single large HTML file

	echo.  pickle     to make pickle files

	echo.  json       to make JSON files

	echo.  htmlhelp   to make HTML files and a HTML help project

	echo.  qthelp     to make HTML files and a qthelp project

	echo.  devhelp    to make HTML files and a Devhelp project

	echo.  epub       to make an epub

	echo.  latex      to make LaTeX files, you can set PAPER=a4 or PAPER=letter

	echo.  text       to make text files

	echo.  man        to make manual pages

	echo.  texinfo    to make Texinfo files

	echo.  gettext    to make PO message catalogs

	echo.  changes    to make an overview over all changed/added/deprecated items

	echo.  linkcheck  to check all external links for integrity

	echo.  doctest    to run all doctests embedded in the documentation if enabled

	goto end

)

if "%1" == "clean" (

	for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i

	del /q /s %BUILDDIR%\*

	goto end

)

if "%1" == "html" (

	%SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished. The HTML pages are in %BUILDDIR%/html.

	goto end

)

if "%1" == "dirhtml" (

	%SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml.

	goto end

)

if "%1" == "singlehtml" (

	%SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml.

	goto end

)

if "%1" == "pickle" (

	%SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished; now you can process the pickle files.

	goto end

)

if "%1" == "json" (

	%SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished; now you can process the JSON files.

	goto end

)

if "%1" == "htmlhelp" (

	%SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished; now you can run HTML Help Workshop with the ^

.hhp project file in %BUILDDIR%/htmlhelp.

	goto end

)

if "%1" == "qthelp" (

	%SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished; now you can run "qcollectiongenerator" with the ^

.qhcp project file in %BUILDDIR%/qthelp, like this:

	echo.^> qcollectiongenerator %BUILDDIR%\qthelp\snf-network.qhcp

	echo.To view the help file:

	echo.^> assistant -collectionFile %BUILDDIR%\qthelp\snf-network.ghc

	goto end

)

if "%1" == "devhelp" (

	%SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished.

	goto end

)

if "%1" == "epub" (

	%SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished. The epub file is in %BUILDDIR%/epub.

	goto end

)

if "%1" == "latex" (

	%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished; the LaTeX files are in %BUILDDIR%/latex.

	goto end

)

if "%1" == "text" (

	%SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished. The text files are in %BUILDDIR%/text.

	goto end

)

if "%1" == "man" (

	%SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished. The manual pages are in %BUILDDIR%/man.

	goto end

)

if "%1" == "texinfo" (

	%SPHINXBUILD% -b texinfo %ALLSPHINXOPTS% %BUILDDIR%/texinfo

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished. The Texinfo files are in %BUILDDIR%/texinfo.

	goto end

)

if "%1" == "gettext" (

	%SPHINXBUILD% -b gettext %I18NSPHINXOPTS% %BUILDDIR%/locale

	if errorlevel 1 exit /b 1

	echo.

	echo.Build finished. The message catalogs are in %BUILDDIR%/locale.

	goto end

)

if "%1" == "changes" (

	%SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes

	if errorlevel 1 exit /b 1

	echo.

	echo.The overview file is in %BUILDDIR%/changes.

	goto end

)

if "%1" == "linkcheck" (

	%SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck

	if errorlevel 1 exit /b 1

	echo.

	echo.Link check complete; look for any errors in the above output ^

or in %BUILDDIR%/linkcheck/output.txt.

	goto end

)

if "%1" == "doctest" (

	%SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest

	if errorlevel 1 exit /b 1

	echo.

	echo.Testing of doctests in the sources finished, look at the ^

results in %BUILDDIR%/doctest/output.txt.

	goto end

)

:end