Revision 4d3b0880 ifup-extra
b/ifup-extra | ||
---|---|---|
1 | 1 |
#!/bin/bash |
2 | 2 |
|
3 |
# IMPORTANT: Your custom script must configure the network interface FULLY, |
|
4 |
# regardless of whether your custom tag, e.g., some-prefix:allow_this, is set. |
|
5 |
# |
|
6 |
# This is necessary to ensure the interface is in a consistent state when |
|
7 |
# local-prefix:allow_this is not defined. Thus you should undo the changes |
|
8 |
# which a previous invocation of this script may have done. |
|
9 |
# |
|
10 |
# In the future, if Ganeti acquires the ability to run ifdown scripts, |
|
11 |
# this functionality will be moved there, greatly simplifying the ifup scripts |
|
12 |
# |
|
13 |
# some-prefix must NOT be synnefo:network: since this is already used by |
|
14 |
# synnefo for setting up firewalls, etc. |
|
15 |
|
|
3 | 16 |
source /etc/default/snf-network |
4 | 17 |
source /usr/lib/snf-network/common.sh |
5 | 18 |
|
6 | 19 |
# Useful environment vars |
7 | 20 |
# INTERFACE, INSTANCE, IP, NETWORK_TAGS, MODE, TABLE |
8 | 21 |
|
9 |
function reset_extra (){ |
|
22 |
# This cleans up the rules that might have been applied by a previous ifup-extra |
|
23 |
function clean_extra (){ |
|
10 | 24 |
|
11 | 25 |
iptables -D FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT |
12 | 26 |
ip6tables -D FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT |
13 | 27 |
|
14 | 28 |
} |
15 | 29 |
|
16 |
# Reset rules that might have been applied by a previous ifup-extra |
|
17 |
try reset_extra |
|
18 |
|
|
19 |
ifprefixindex="synnefo:network:$INTERFACE_INDEX:" |
|
20 |
ifprefixname="synnefo:network:$INTERFACE_NAME:" |
|
21 |
ifprefixuuid="synnefo:network:$INTERFACE_UUID:" |
|
22 |
for tag in $TAGS; do |
|
23 |
tag=${tag#$ifprefixindex} |
|
24 |
tag=${tag#$ifprefixname} |
|
25 |
tag=${tag#$ifprefixuuid} |
|
26 |
case $tag in |
|
27 |
mail) |
|
28 |
# Here add iptalbes rule.. |
|
29 |
iptables -I FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT |
|
30 |
ip6tables -I FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT |
|
31 |
;; |
|
32 |
esac |
|
33 |
done |
|
30 |
# This looks for the following tag examples: |
|
31 |
# some-prefix:1:mail |
|
32 |
# some-prefix:snf-nic-12345:mail |
|
33 |
# some-prefix:8252fabd-1021-411c-b8f7-ed79ed509bb8:mail |
|
34 |
# some-prefix:mail |
|
35 |
# and issues some iptables rules |
|
36 |
function setup_extra () { |
|
37 |
|
|
38 |
ifprefixindex="some-prefix:$INTERFACE_INDEX:" |
|
39 |
ifprefixname="some-prefix:$INTERFACE_NAME:" |
|
40 |
ifprefixuuid="some-prefix:$INTERFACE_UUID:" |
|
41 |
ifprefix="some-prefix:" |
|
42 |
|
|
43 |
for tag in $TAGS; do |
|
44 |
tag=${tag#$ifprefixindex} |
|
45 |
tag=${tag#$ifprefixname} |
|
46 |
tag=${tag#$ifprefixuuid} |
|
47 |
tag=${tag#$ifprefix} |
|
48 |
case $tag in |
|
49 |
mail) |
|
50 |
# Here add iptalbes rule.. |
|
51 |
iptables -I FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT |
|
52 |
ip6tables -I FORWARD -i $INTERFACE -p tcp --dport 25 -j ACCEPT |
|
53 |
;; |
|
54 |
esac |
|
55 |
done |
|
56 |
|
|
57 |
} |
|
58 |
|
|
59 |
try clean_extra |
|
60 |
|
|
61 |
setup_extra |
|
34 | 62 |
|
35 | 63 |
exit 0 |
36 | 64 |
|
Also available in: Unified diff