Revision 2b9e52e1 kvm-vif-bridge
b/kvm-vif-bridge | ||
---|---|---|
7 | 7 |
MAC2EUI64=/usr/bin/mac2eui64 |
8 | 8 |
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd |
9 | 9 |
|
10 |
function clear_routed_setup_ipv4 { |
|
10 | 11 |
|
12 |
arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle |
|
13 |
while ip rule del dev $INTERFACE; do :; done |
|
14 |
iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
|
11 | 15 |
|
12 |
function clear_tap {
|
|
16 |
}
|
|
13 | 17 |
|
14 |
arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1 |
|
15 |
while ip rule del dev $INTERFACE; do :; done >/dev/null 2>&1 |
|
16 |
iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP > /dev/null 2>&1 |
|
18 |
function clear_routed_setup_ipv6 { |
|
17 | 19 |
|
20 |
while ip -6 rule del dev $INTERFACE; do :; done |
|
18 | 21 |
|
19 | 22 |
} |
20 | 23 |
|
24 |
|
|
25 |
function clear_routed_setup_firewall { |
|
26 |
|
|
27 |
for oldchain in protected unprotected limited; do |
|
28 |
iptables -D FORWARD -o $INTERFACE -j $oldchain |
|
29 |
ip6tables -D FORWARD -o $INTERFACE -j $oldchain |
|
30 |
done |
|
31 |
|
|
32 |
} |
|
33 |
|
|
34 |
function clear_ebtables { |
|
35 |
TAP=$INTERFACE |
|
36 |
FROM=FROM${TAP^^} |
|
37 |
TO=TO${TAP^^} |
|
38 |
|
|
39 |
ebtables -D INPUT -i $TAP -j $FROM |
|
40 |
ebtables -D FORWARD -i $TAP -j $FROM |
|
41 |
ebtables -D FORWARD -o $TAP -j $TO |
|
42 |
ebtables -D OUTPUT -o $TAP -j $TO |
|
43 |
|
|
44 |
ebtables -X $FROM |
|
45 |
ebtables -X $TO |
|
46 |
} |
|
47 |
|
|
48 |
|
|
49 |
|
|
21 | 50 |
function routed_setup_ipv4 { |
22 | 51 |
|
23 | 52 |
# mangle ARPs to come from the gw's IP |
... | ... | |
40 | 69 |
eui64=$($MAC2EUI64 $MAC $prefix) |
41 | 70 |
|
42 | 71 |
|
43 |
while ip -6 rule del dev $INTERFACE; do :; done > /dev/null 2>&1 |
|
44 | 72 |
ip -6 rule add dev $INTERFACE table $TABLE |
45 | 73 |
ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE |
46 |
ip -6 neigh add proxy $eui64 dev $uplink > /dev/null 2>&1
|
|
74 |
ip -6 neigh add proxy $eui64 dev $uplink |
|
47 | 75 |
|
48 | 76 |
# disable proxy NDP since we're handling this on userspace |
49 | 77 |
# this should be the default, but better safe than sorry |
... | ... | |
67 | 95 |
esac |
68 | 96 |
done |
69 | 97 |
|
70 |
# Flush any old rules. We have to consider all chains, since |
|
71 |
# we are not sure the instance was on the same chain, or had the same |
|
72 |
# tap interface. |
|
73 |
for oldchain in protected unprotected limited; do |
|
74 |
iptables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null |
|
75 |
ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null |
|
76 |
done |
|
77 |
|
|
78 | 98 |
if [ "x$chain" != "x" ]; then |
79 | 99 |
iptables -A FORWARD -o $INTERFACE -j $chain |
80 | 100 |
ip6tables -A FORWARD -o $INTERFACE -j $chain |
81 | 101 |
fi |
82 | 102 |
} |
83 | 103 |
|
84 |
function setup_nfdhcpd { |
|
85 |
umask 022 |
|
86 |
FILE=$NFDHCPD_STATE_DIR/$INTERFACE |
|
87 |
#IFACE is the interface from which the packet seems to arrive |
|
88 |
#needed in bridged mode where the packets seems to arrive from the |
|
89 |
#bridge and not from the tap |
|
90 |
cat >$FILE <<EOF |
|
91 |
INDEV=$1 |
|
92 |
IP=$IP |
|
93 |
MAC=$MAC |
|
94 |
HOSTNAME=$INSTANCE |
|
95 |
TAGS="$TAGS" |
|
96 |
EOF |
|
97 |
if [ -n "$GATEWAY" ]; then |
|
98 |
echo GATEWAY=$GATEWAY >> $FILE |
|
99 |
fi |
|
100 |
if [ -n "$SUBNET" ]; then |
|
101 |
echo SUBNET=$SUBNET >> $FILE |
|
102 |
fi |
|
103 |
if [ -n "$GATEWAY6" ]; then |
|
104 |
echo GATEWAY6=$GATEWAY6 >> $FILE |
|
105 |
fi |
|
106 |
if [ -n "$SUBNET6" ]; then |
|
107 |
echo SUBNET6=$SUBNET6 >> $FILE |
|
108 |
eui64=$($MAC2EUI64 $MAC $SUBNET6) |
|
109 |
echo EUI64=$eui64 >> $FILE |
|
110 |
fi |
|
111 |
|
|
112 |
} |
|
113 |
|
|
114 |
function clear_ebtables { |
|
115 |
TAP=$INTERFACE |
|
116 |
FROM=FROM${TAP^^} |
|
117 |
TO=TO${TAP^^} |
|
118 |
|
|
119 |
exist=$(ebtables -L | grep $TAP) |
|
120 |
|
|
121 |
if [ ! -z "$exist" ]; then |
|
122 |
ebtables -D INPUT -i $TAP -j $FROM > /dev/null 2>&1 |
|
123 |
ebtables -D FORWARD -i $TAP -j $FROM > /dev/null 2>&1 |
|
124 |
ebtables -D FORWARD -o $TAP -j $TO > /dev/null 2>&1 |
|
125 |
ebtables -D OUTPUT -o $TAP -j $TO > /dev/null 2>&1 |
|
126 |
|
|
127 |
ebtables -X $FROM > /dev/null 2>&1 |
|
128 |
ebtables -X $TO > /dev/null 2>&1 |
|
129 |
fi |
|
130 |
} |
|
131 |
|
|
132 | 104 |
function setup_ebtables { |
133 | 105 |
TAP=$INTERFACE |
134 | 106 |
FROM=FROM${TAP^^} |
... | ... | |
136 | 108 |
|
137 | 109 |
ebtables -N $FROM |
138 | 110 |
# do not allow changes in ip-mac pair |
139 |
ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP |
|
111 |
if [ -n "$IP"]; then |
|
112 |
ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP |
|
113 |
fi |
|
140 | 114 |
ebtables -A $FROM -s \! $MAC -j DROP |
141 | 115 |
ebtables -A FORWARD -i $TAP -j $FROM |
142 | 116 |
ebtables -N $TO |
... | ... | |
156 | 130 |
} |
157 | 131 |
|
158 | 132 |
|
133 |
function setup_nfdhcpd { |
|
134 |
umask 022 |
|
135 |
FILE=$NFDHCPD_STATE_DIR/$INTERFACE |
|
136 |
#IFACE is the interface from which the packet seems to arrive |
|
137 |
#needed in bridged mode where the packets seems to arrive from the |
|
138 |
#bridge and not from the tap |
|
139 |
cat >$FILE <<EOF |
|
140 |
INDEV=$1 |
|
141 |
IP=$IP |
|
142 |
MAC=$MAC |
|
143 |
HOSTNAME=$INSTANCE |
|
144 |
TAGS="$TAGS" |
|
145 |
GATEWAY=$GATEWAY |
|
146 |
SUBNET=$SUBNET |
|
147 |
GATEWAY6=$GATEWAY6 |
|
148 |
SUBNET6=$SUBNET6 |
|
149 |
EUI64=$($MAC2EUI64 $MAC $SUBNET6 2>/dev/null) |
|
150 |
EOF |
|
151 |
|
|
152 |
} |
|
153 |
|
|
159 | 154 |
|
160 | 155 |
DEFAULT=/etc/default/snf-network |
161 | 156 |
source $DEFAULT |
... | ... | |
179 | 174 |
source $NETFILE |
180 | 175 |
fi |
181 | 176 |
|
177 |
|
|
178 |
TABLE=rt_$NETWORK |
|
179 |
clear_routed_setup_ipv4 > /dev/null 2>&1 |
|
180 |
clear_routed_setup_ipv6 > /dev/null 2>&1 |
|
181 |
clear_routed_setup_firewall > /dev/null 2>&1 |
|
182 |
clear_ebtables > /dev/null 2>&1 |
|
183 |
|
|
182 | 184 |
if [ "$MODE" = "routed" ]; then |
183 |
TABLE=rt_$NETWORK |
|
184 |
# special proxy-ARP/NDP routing mode |
|
185 |
clear_tap > /dev/null 2>&1 |
|
186 |
clear_ebtables >/dev/null 2>&1 |
|
187 | 185 |
# use a constant predefined MAC address for the tap |
188 | 186 |
ip link set $INTERFACE addr $TAP_CONSTANT_MAC |
189 | 187 |
# bring the tap up |
... | ... | |
194 | 192 |
|
195 | 193 |
routed_setup_ipv4 > /dev/null 2>&1 |
196 | 194 |
routed_setup_ipv6 > /dev/null 2>&1 |
197 |
routed_setup_firewall |
|
195 |
routed_setup_firewall > /dev/null 2>&1
|
|
198 | 196 |
setup_nfdhcpd $INTERFACE |
199 | 197 |
elif [ "$MODE" = "bridged" ]; then |
200 |
clear_tap > /dev/null 2>&1 |
|
201 |
clear_ebtables >/dev/null 2>&1 |
|
202 | 198 |
ifconfig $INTERFACE 0.0.0.0 up |
203 | 199 |
brctl addif $BRIDGE $INTERFACE |
204 | 200 |
setup_nfdhcpd $BRIDGE |
205 |
setup_ebtables |
|
201 |
setup_ebtables > /dev/null 2>&1
|
|
206 | 202 |
fi |
Also available in: Unified diff