Statistics
| Branch: | Tag: | Revision:

root / common.sh @ 4bda656e

History | View | Annotate | Download (8.2 kB)

1
#!/bin/bash
2

    
3
function try {
4

    
5
  $1 &>/dev/null || true
6

    
7
}
8

    
9
function clear_routed_setup_ipv4 {
10

    
11
 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
12
 while ip rule del dev $INTERFACE; do :; done
13
 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
14

    
15
}
16

    
17
function clear_routed_setup_ipv6 {
18

    
19
  while ip -6 rule del dev $INTERFACE; do :; done
20
  get_uplink $LINK "-6"
21
  get_eui64 $MAC $SUBNET6
22
  $SNF_NETWORK_LOG $0 "ip -6 neigh del proxy $EUI64 dev $UPLINK"
23
  ip -6 neigh del proxy $EUI64 dev $UPLINK
24

    
25
}
26

    
27

    
28
function clear_routed_setup_firewall {
29

    
30
  for oldchain in protected unprotected limited; do
31
    iptables  -D FORWARD -o $INTERFACE -j $oldchain
32
    ip6tables -D FORWARD -o $INTERFACE -j $oldchain
33
  done
34

    
35
}
36

    
37
function clear_ebtables {
38

    
39
  runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -i $INTERFACE -j $FROM
40
  runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -o $INTERFACE -j $TO
41
  #runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO
42

    
43
  runlocked $RUNLOCKED_OPTS ebtables -X $FROM
44
  runlocked $RUNLOCKED_OPTS ebtables -X $TO
45
}
46

    
47

    
48
function clear_nfdhcpd {
49

    
50
  rm $NFDHCPD_STATE_DIR/$INTERFACE
51

    
52
}
53

    
54

    
55
function routed_setup_ipv4 {
56

    
57
  if [ -z "$INTERFACE" -o -z "$NETWORK_GATEWAY" -o -z "$IP" -o -z "$TABLE" ]
58
  then
59
    return
60
  fi
61

    
62
	# mangle ARPs to come from the gw's IP
63
	arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s    "$NETWORK_GATEWAY"
64

    
65
	# route interface to the proper routing table
66
	ip rule add dev $INTERFACE table $TABLE
67

    
68
	# static route mapping IP -> INTERFACE
69
	ip route replace $IP proto static dev $INTERFACE table $TABLE
70

    
71
	# Enable proxy ARP
72
	echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
73

    
74
  # Send GARP from host to upstream router
75
  get_uplink $TABLE
76
  echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
77
  # $SNF_NETWORK_LOG $0 "arping  -c3 -I $UPLINK -U $IP"
78
  # arping  -c3 -I $UPLINK -U $IP
79
  $SNF_NETWORK_LOG $0 "arpsend -U -i $IP $UPLINK"
80
  arpsend -U -i $IP $UPLINK
81
  echo 0 > /proc/sys/net/ipv4/ip_nonlocal_bind
82

    
83
}
84

    
85
function routed_setup_ipv6 {
86
	# Add a routing entry for the eui-64
87
  get_uplink $TABLE "-6"
88
  get_eui64 $MAC $NETWORK_SUBNET6
89

    
90
  if [ -z "$EUI64" -o -z "$TABLE" -o -z "$INTERFACE" -o -z "$UPLINK" ]
91
  then
92
    return
93
  fi
94

    
95
	ip -6 rule add dev $INTERFACE table $TABLE
96
	ip -6 ro replace $EUI64/128 dev $INTERFACE table $TABLE
97
	ip -6 neigh add proxy $EUI64 dev $UPLINK
98

    
99
	# disable proxy NDP since we're handling this on userspace
100
	# this should be the default, but better safe than sorry
101
	echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
102

    
103
  # Send Unsolicited Neighbor Advertisement
104
  $SNF_NETWORK_LOG $0 "ndsend $EUI64 $UPLINK"
105
  ndsend $EUI64 $UPLINK
106

    
107
}
108

    
109
# pick a firewall profile per NIC, based on tags (and apply it)
110
function routed_setup_firewall {
111
	# for latest ganeti there is no need to check other but uuid
112
	ifprefixindex="synnefo:network:$INTERFACE_INDEX:"
113
	ifprefixname="synnefo:network:$INTERFACE_NAME:"
114
	ifprefixuuid="synnefo:network:$INTERFACE_UUID:"
115
	for tag in $TAGS; do
116
		tag=${tag#$ifprefixindex}
117
		tag=${tag#$ifprefixname}
118
		tag=${tag#$ifprefixuuid}
119
		case $tag in
120
		protected)
121
			chain=protected
122
		;;
123
		unprotected)
124
			chain=unprotected
125
		;;
126
		limited)
127
			chain=limited
128
		;;
129
		esac
130
	done
131

    
132
	if [ "x$chain" != "x" ]; then
133
		iptables  -A FORWARD -o $INTERFACE -j $chain
134
		ip6tables -A FORWARD -o $INTERFACE -j $chain
135
	fi
136
}
137

    
138
function init_ebtables {
139

    
140
  runlocked $RUNLOCKED_OPTS ebtables -N $FROM
141
  runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
142
  runlocked $RUNLOCKED_OPTS ebtables -N $TO
143
  runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
144

    
145
}
146

    
147

    
148
function setup_ebtables {
149

    
150
  # do not allow changes in ip-mac pair
151
  if [ -n "$IP"]; then
152
    runlocked $RUNLOCKED_OPTS ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
153
  fi
154
  runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP
155
  #accept dhcp responses from host (nfdhcpd)
156
  runlocked $RUNLOCKED_OPTS ebtables -A $TO -p ipv4 --ip-protocol=udp  --ip-destination-port=68 -j ACCEPT
157
  # allow only packets from the same mac prefix
158
  runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
159
}
160

    
161
function setup_masq {
162

    
163
  # allow packets from/to router (for masquerading)
164
  # runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $NODE_MAC -j ACCEPT
165
  # runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
166
  # runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
167
  return
168

    
169
}
170

    
171
function setup_nfdhcpd {
172
	umask 022
173
  FILE=$NFDHCPD_STATE_DIR/$INTERFACE
174
  #IFACE is the interface from which the packet seems to arrive
175
  #needed in bridged mode where the packets seems to arrive from the
176
  #bridge and not from the tap
177
	cat >$FILE <<EOF
178
INDEV=$INDEV
179
IP=$IP
180
MAC=$MAC
181
HOSTNAME=$GANETI_INSTANCE_NAME
182
TAGS="$TAGS"
183
GATEWAY=$NETWORK_GATEWAY
184
SUBNET=$NETWORK_SUBNET
185
GATEWAY6=$NETWORK_GATEWAY6
186
SUBNET6=$NETWORK_SUBNET6
187
EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
188
EOF
189

    
190
}
191

    
192
function get_uplink {
193

    
194
  local table=$1
195
  local version=$2
196
  UPLINK=$(ip "$version" route list table "$table" | grep "default via" | awk '{print $5}')
197

    
198
}
199

    
200
# Because we do not have IPv6 value in our environment
201
# we caclulate it based on the NIC's MAC and the IPv6 subnet (if any)
202
# first argument MAC second IPv6 subnet
203
# Changes global value EUI64
204
get_eui64 () {
205

    
206
  local mac=$1
207
  local prefix=$2
208

    
209
  if [ -z "$prefix" ]; then
210
    EUI64=
211
  else
212
    EUI64=$($MAC2EUI64 $mac $prefix)
213
  fi
214

    
215
}
216

    
217

    
218
# DDNS related functions
219

    
220
# ommit zone statement
221
# nsupdate  will attempt determine the correct zone to update based on the rest of the input
222
send_command () {
223

    
224
  local command="$1"
225
  $SNF_NETWORK_LOG $0 "$command"
226
  nsupdate -k $KEYFILE > /dev/null << EOF
227
  server $SERVER
228
  $command
229
  send
230
EOF
231

    
232
}
233

    
234

    
235
update_arecord () {
236

    
237
  local action=$1
238
  local command=
239
  if [ -n "$IP" ]; then
240
    command="update $action $GANETI_INSTANCE_NAME.$FZONE $TTL A $IP"
241
    send_command "$command"
242
  fi
243

    
244
}
245

    
246

    
247
update_aaaarecord () {
248

    
249
  local action=$1
250
  local command=
251
  if [ -n "$EUI64" ]; then
252
    command="update $action $GANETI_INSTANCE_NAME.$FZONE $TTL AAAA $EUI64"
253
    send_command "$command"
254
  fi
255

    
256
}
257

    
258

    
259
update_ptrrecord () {
260

    
261
  local action=$1
262
  local command=
263
  if [ -n "$IP" ]; then
264
    command="update $action $RLPART.$RZONE. $TTL PTR $GANETI_INSTANCE_NAME.$FZONE"
265
    send_command "$command"
266
  fi
267

    
268
}
269

    
270
update_ptr6record () {
271

    
272
  local action=$1
273
  local command=
274
  if [ -n "$EUI64" ]; then
275
    command="update $action $R6LPART$R6ZONE. $TTL PTR $GANETI_INSTANCE_NAME.$FZONE"
276
    send_command "$command"
277
  fi
278

    
279
}
280

    
281
update_all () {
282

    
283
  local action=$1
284
  update_arecord $action
285
  update_aaaarecord $action
286
  update_ptrrecord $action
287
  update_ptr6record $action
288

    
289
}
290

    
291

    
292
# first argument is an eui64 (IPv6)
293
# sets GLOBAL args R6REC, R6ZONE, R6LPART
294
# lets assume eui64=2001:648:2ffc:1::1
295
# the following commands produce:
296
# R6REC=1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.c.f.f.2.8.4.6.0.1.0.0.2.ip6.arpa
297
# R6ZONE=1.0.0.0.c.f.f.2.8.4.6.0.1.0.0.2.ip6.arpa
298
# R6LPART=1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.
299
get_rev6_info () {
300

    
301
  local eui64=$1
302
  if [ -z "$eui64" ]; then
303
    R6REC= ; R6ZONE= ; R6LPART= ;
304
  else
305
    R6REC=$(host $eui64 | egrep -o '([[:alnum:]]\.){32}ip6.arpa' )
306
    R6ZONE=$(echo $R6REC | awk -F. 'BEGIN{rpart="";} { for (i=32;i>16;i=i-1) rpart=$i "." rpart; } END{print rpart "ip6.arpa";}')
307
    R6LPART=$(echo $R6REC | awk -F. 'BEGIN{lpart="";} { for (i=16;i>0;i=i-1) lpart=$i "." lpart; } END{print lpart;}')
308
  fi
309

    
310
}
311

    
312

    
313
# first argument is an ipv4
314
# sets args RZONE, RLPART
315
# lets assume IP=203.0.113.1
316
# RZONE="113.0.203.in-add.arpa"
317
# RLPART="1"
318
get_rev4_info () {
319

    
320
  local ip=$1
321
  if [ -z "$ip" ]; then
322
    RZONE= ; RLPART= ;
323
  else
324
    OLDIFS=$IFS
325
    IFS=". "
326
    set -- $ip
327
    a=$1 ; b=$2; c=$3; d=$4;
328
    IFS=$OLDIFS
329
    RZONE="$c.$b.$a.in-addr.arpa"
330
    RLPART="$d"
331
  fi
332

    
333
}
334

    
335

    
336
# Query nameserver for entries related to the specific instance
337
# An example output is the following:
338
# www.google.com has address 173.194.113.114
339
# www.google.com has address 173.194.113.115
340
# www.google.com has address 173.194.113.116
341
# www.google.com has address 173.194.113.112
342
# www.google.com has address 173.194.113.113
343
# www.google.com has IPv6 address 2a00:1450:4001:80b::1012
344
query_dns () {
345

    
346
  HOSTQ="host -s -R 3 -W 3"
347
  HOST_IP_ALL=$($HOSTQ $GANETI_INSTANCE_NAME.$FZONE $SERVER | sed -n 's/.*has address //p')
348
  HOST_IP6_ALL=$($HOSTQ $GANETI_INSTANCE_NAME.$FZONE $SERVER | sed -n 's/.*has IPv6 address //p')
349

    
350
}