Revision 7d163a24

/dev/null
1
#!/bin/bash
2

  
3
DIR=/var/lib/snf-network
4
SUBNET=$1
5
GATEWAY=$2
6
TYPE=$3
7
NAME=$4
8
RT_TABLES=/etc/iproute2/rt_tables
9

  
10

  
11

  
12
if [ $# -ne 4 ]; then
13
  echo "$0 <subnet> <gateway> <private/public> <name>"
14
  exit 1
15
fi
16

  
17

  
18

  
19
cat > $DIR/networks/$NAME <<EOF
20
SUBNET=$SUBNET
21
GATEWAY=$GATEWAY
22
TYPE=$TYPE
23
EOF
24

  
25

  
26
IDX=$(ls $DIR/networks | wc -l)
27

  
28
# remove old entry
29
sed -i '/^'"$IDX"'\ / d' $RT_TABLES
30

  
31
echo "$IDX rt_$NAME" >> $RT_TABLES
32

  
33

  
/dev/null
1
#!/bin/bash
2

  
3
DIR=/var/lib/snf-network
4
NODES=$1
5
ROUTER=$2
6
IFACE=$3
7
VLAN=$4
8
VLANS=$5
9
NAME=$6
10

  
11

  
12
if [ $# -ne 6 ]; then
13
  echo "$0 <list_nodes> <router> <iface> <public_vlan> <list_of_private_vlans> <name>"
14
  echo "$0 'dev88 89' 'dev88' 'eth0' '101' '2990 2999' 'default'"
15
  exit 1
16
fi
17

  
18

  
19

  
20
cat > $DIR/nodegroups/$NAME <<EOF
21
ROUTER=$ROUTER
22
INTERFACE=$IFACE
23
PUBLIC_VLAN=$VLAN
24
PRIVATE_VLANS=$VLANS
25
EOF
26

  
27

  
b/configure-interfaces
1
#!/bin/bash
2

  
3
source /etc/default/snf-network
4

  
5
HOSTNAME=$(hostname)
6

  
7

  
8
INTERFACES=$SHAREDDIR/interfaces/$HOSTNAME
9
INFRA=$SHAREDDIR/infra/$HOSTNAME
10

  
11
if [ -e $INFRA ]; then
12
  source $INFRA
13
fi
14

  
15
if [ -e /proc/sys/net/ipv4/conf/$PUBLIC_VLAN  -o \
16
#     -e /proc/sys/net/ipv4/conf/$PUBLIC_BRIDGE -o \
17
     -e /proc/sys/net/ipv4/conf/$MASQ_VLAN -o \
18
     -e /proc/sys/net/ipv4/conf/$MASQ_BRIDGE -o \
19
     -e /proc/sys/net/ipv4/conf/$PRIVATE_VLAN -o \
20
     -e /proc/sys/net/ipv4/conf/$PRIVATE_BRIDGE ]; then 
21
  echo Interfaces already exist! Please check: 
22
  echo $PUBLIC_BRIDGE for bridging TAPs with public IPs
23
  echo $PUBLIC_VLAN for routing TAPs with public IPs
24
  echo $PRIVATE_VLAN  bridged on $PRIVATE_BRIDGE for private LANs
25
  echo $MASQ_VLAN bridged on $MASQ_BRIDGE for private IPs that get MASQUERADED
26
  exit 1
27
fi
28

  
29

  
30
cat > $INTERFACES<<EOF
31
#auto $PUBLIC_BRIDGE
32
#iface $PUBLIC_BRIDGE inet manual
33
#  bridge_ports $PUBLIC_INTERFACE
34
#  bridge_stp off
35
#  bridge_fd 2
36

  
37
auto $PUBLIC_VLAN
38
iface $PUBLIC_VLAN inet manual
39

  
40
auto $PRIVATE_VLAN
41
iface $PRIVATE_VLAN inet manual
42

  
43
auto $PRIVATE_BRIDGE
44
iface $PRIVATE_BRIDGE inet manual
45
  bridge_ports $PRIVATE_VLAN
46
  bridge_stp off
47
  bridge_fd 2
48

  
49
auto $MASQ_VLAN
50
iface $MASQ_VLAN inet manual
51

  
52
auto $MASQ_BRIDGE
53
iface $MASQ_BRIDGE inet manual
54
  bridge_ports $MASQ_VLAN
55
  bridge_stp off
56
  bridge_fd 2
57
EOF
58

  
59

  
60
ifup -i $INTERFACES -a
61

  
62

  
63
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
64
echo 1 > /proc/sys/net/ipv4/ip_forward
/dev/null
1
#!/bin/bash
2

  
3
DIR=/var/lib/snf-network
4
NETWORK=$1
5
NODEGROUP=$2
6
MODE=$3
7
LINK=$4
8

  
9
source /etc/default/snf-network
10

  
11
if [ $# -ne 4 ]; then
12
  echo "$0 <network> <nodegroup> <mode> <link>"
13
  exit 1
14
fi
15

  
16
NETWORK_FILE=$DIR/networks/$NETWORK
17
NODEGROUP_FILE=$DIR/nodegoups/$NODEGROUP
18
INTERFACES=$DIR/interfaces/$NETWORK-$NODEGROUP
19

  
20
source $NETWORK_FILE
21
source $NODEGROUP_FILE
22

  
23
if [ $MODE == "routed" ]; then 
24
  VLAN=$LINK
25
  if [ $TYPE == "public" ]; then
26
    APR_IP=$(ipcalc $SUBNET | grep HostMax | awk '{print $2}')
27
    cat > $INTERFACES<<EOF
28
# $VLAN $MODE
29
auto $VLAN
30
iface $VLAN inet manual
31
#    ip-routing-table rt_$NETWORK
32
#    ip-routes $SUBNET
33
#    ip-gateway $GATEWAY
34
#    ip-forwarding 1
35
#    ip-proxy-arp 1
36
#    arp-ip $ARP_IP
37
EOF 
38
    ifup -i $INTERFACES $VLAN
39
    ip link set $VLAN up
40

  
41
    ip rule add iif $VLAN table rt_$NAME
42

  
43
    ip route add $SUBNET dev $VLAN table main 
44

  
45
    ip route add $SUBNET dev $VLAN table rt_$NAME
46
    ip route add default via $GATEWAY dev $VLAN table rt_$NAME
47
    
48
    echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
49

  
50
    arptables -A OUTPUT -o $VLAN --opcode request -j mangle --mangle-ip-s  $ARP_IP 
51
  fi
52
fi
53

  
54

  
55

  
56
if [ $MODE == "bridged" ]; then
57
  BRIDGE=$LINK
58
  echo 1 > /proc/sys/net/ipv4/ip_forward
59
  if [ $TYPE == "public" ]; then
60
    VLAN=$INTERFACE.$PUBLIC_VLAN_ID
61
  elif [ $TYPE == "private" ]; then
62
    VLAN_ID=${PRIVATE_VLAN_IDS%% *}
63
    VLAN_IDS=${PRIVATE_VLAN_IDS#* }
64
    sed -i 's/PRIVATE_VLAN_IDS/ s/=.*/='"VLAN_IDS"'/' $NODEGROUP_FILE
65
    #set -- $PRIVATE_VLAN_IDS
66
    #VLAN=$1
67
    #shift
68
    #VLANS=$@
69
    VLAN=$INTERFACE.$VLAN_ID
70
  fi
71
  cat > $INTERFACES <<EOF
72
# $VLAN $MODE $BRIDGE
73
auto $VLAN
74
iface $VLAN inet manual
75

  
76
auto $BRIDGE
77
iface $BRIDGE inet manual
78
  bridge_ports $VLAN
79
  bridge_stp off
80
  bridge_fd 2
81
EOF
82
  ifup -i $INTERFACES $BRIDGE
83
  ip link set $VLAN up
84
  ip route add $SUBNET dev $BRIDGE table main
85

  
86
  ip route add $SUBNET dev $BRIDGE table rt_$NETWORK
87
  if [ ! -z $GATEWAY ]; then
88
    ip route add default via  dev $BRIDGE table rt_$NETWORK
89
    if [ $TYPE == "private" ]; then 
90
      if [ ! -z $ROUTER ]; then 
91
        if [ $(hostname) == $ROUTER ]; then
92
          NETMASK=$(ipcalc $SUBNET | grep Netmask | awk '{print $4}')
93
          ip addr add $GATEWAY/$NETMASK dev $BRIDGE
94
          iptables -t nat -A POSTROUTING -s $SUBNET \! -d $SUBNET -j MASQUERADE
95
        fi  
96
      fi
97
    fi
98
  fi
99
fi
/dev/null
1
#!/bin/bash
2

  
3
DIR=/var/lib/snf-network
4
NETWORK=$1
5
NODEGROUP=$2
6

  
7
source /etc/default/snf-network
8

  
9
if [ $# -ne 2 ]; then
10
  echo "$0 <network> <nodegroup>"
11
  exit 1
12
fi
13

  
14
NETWORK_FILE=$DIR/networks/$NETWORK
15
NODEGROUP_FILE=$DIR/nodegoups/$NODEGROUP
16
INTERFACES=$DIR/interfaces/$NETWORK-$NODEGROUP
17

  
18
read x VLAN BRIDGE < $INTERFACES
19

  
20
VLAN_ID=${VLAN#*:}
21

  
22
source $NETWORK_FILE
23
source $NODEGROUP_FILE
24

  
25
if [ $MODE == "routed" ]; then 
26
  if [ $TYPE == "public" ]; then
27
    APR_IP=$(ipcalc $SUBNET | grep HostMax | awk '{print $2}')
28
    ip rule del iif $VLAN table rt_$NAME
29

  
30
    ip route del $SUBNET dev $VLAN table main 
31

  
32
    ip route del $SUBNET dev $VLAN table rt_$NAME
33
    ip route del default via $GATEWAY dev $VLAN table rt_$NAME
34

  
35
    arptables -D OUTPUT -o $VLAN --opcode request -j mangle --mangle-ip-s  $ARP_IP 
36
    ifdown -i $INTERFACES $VLAN
37
    rm $INTERFACES
38
  fi
39
fi
40

  
41

  
42

  
43
if [ $MODE == "bridged" ]; then
44
  if [ $TYPE == "private" ]; then
45
    VLAN_IDS="$VLAN_ID $PRIVATE_VLAN_IDS"
46
    sed -i 's/PRIVATE_VLAN_IDS/ s/=.*/='"VLAN_IDS"'/' $NODEGROUP_FILE
47
  fi
48

  
49
  ip route del $SUBNET dev $BRIDGE table main
50

  
51
  ip route del $SUBNET dev $BRIDGE table rt_$NETWORK
52
  if [ ! -z $GATEWAY ]; then
53
    ip route del default via $GATEWAY dev $BRIDGE table rt_$NETWORK
54
    if [ $TYPE == "private" ]; then 
55
      if [ ! -z $ROUTER ]; then 
56
        if [ $(hostname) == $ROUTER ]; then
57
          NETMASK=$(ipcalc $SUBNET | grep Netmask | awk '{print $4}')
58
          ip addr del $GATEWAY/$NETMASK dev $LINK 
59
          iptables -t nat -D POSTROUTING -s $SUBNET \! -d $SUBNET -j MASQUERADE
60
        fi  
61
      fi
62
    fi
63
  fi
64
  ifdown -i $INTERFACES $BRIDGE
65
  rm $INTERFACES
66
fi
b/hooks/group-modify-post.d/snf-network
1
#!/bin/bash
2

  
3
source /etc/default/snf-network
4

  
5
GROUP=$GANETI_GROUP_NAME
6

  
7
ACTION=$GANETI_GROUP_NETWORK_ACTION
8
NETWORK=$GANETI_GROUP_NETWORK_NAME
9
MODE=$GANETI_GROUP_NETWORK_MODE
10
LINK=$GANETI_GROUP_NETWORK_LINK
11

  
12

  
13

  
14
if [ -z $ACTION ]; then
15
  exit 0
16
fi
17

  
18
NETFILE=$SHAREDDIR/networks/$NETWORK
19

  
20
MAPFILE=$SHAREDDIR/mappings/$NETWORK-$GROUP
21

  
22
function set_rt_table {
23
  ID=$(sed  -n '/^$/ { =; q}' /etc/iproute2/rt_tables)
24
  if [ -z $ID ]; then
25
    ID=$(wc -l /etc/iproute2/rt_tables)
26
    echo $((ID+1)) rt_$NETWORK > /etc/iproute2/rt_tables
27
  else
28
    sed -i '1,/^$/ s/^$/'"$ID"' rt_'"$NETWORK"'/' /etc/iproute2/rt_tables
29
  fi
30
}
31

  
32

  
33

  
34
if [ $ACTION == "add" ]; then
35
  if [ $MODE == "routed" ]; then 
36
    VLAN=$LINK
37
    if [ $TYPE == "public" ]; then
38
      ARP_IP=$(ipcalc $SUBNET | grep HostMax | awk '{print $2}')
39
      
40
      ip link set $VLAN up
41

  
42
      echo 1 > "/proc/sys/net/ipv4/conf/$VLAN/proxy_arp"
43

  
44
      set_rt_table
45

  
46
      ip rule add iif $VLAN table rt_$NETWORK
47

  
48
      ip route add $SUBNET dev $VLAN table main 
49

  
50
      ip route add $SUBNET dev $VLAN table rt_$NETWORK
51
      ip route add default via $GATEWAY dev $VLAN table rt_$NETWORK
52
      
53
      echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
54

  
55
      arptables -A OUTPUT -o $VLAN --opcode request -j mangle --mangle-ip-s  $ARP_IP 
56
    fi
57
  fi
58

  
59

  
60

  
61
  if [ $MODE == "bridged" ]; then
62
    BRIDGE=$LINK
63
    if [ ! -z $GATEWAY ]; then
64
      if [ $TYPE == "private" ]; then 
65
        if [ $(hostname) == $ROUTER ]; then
66
          NETMASK=$(ipcalc $SUBNET | grep Netmask | awk '{print $4}')
67
          ip addr add $GATEWAY/$NETMASK dev $BRIDGE
68
          iptables -t nat -A POSTROUTING -s $SUBNET \! -d 192.168.0.0/16 -j MASQUERADE
69
        fi  
70
      fi
71
    fi
72
  fi
73
  
74
  cat > $MAPFILE <<EOF
75
MODE=$MODE
76
LINK=$LINK
77
EOF
78

  
79
else
80

  
81
  source $MAPFILE
82

  
83
  if [ "$MODE" == "routed" ]; then 
84
    VLAN=$LINK
85
    TABLE=rt_$NETWORK
86
    if [ $TYPE == "public" ]; then
87
      ARP_IP=$(ipcalc $SUBNET | grep HostMax | awk '{print $2}')
88
    
89
      arptables -D OUTPUT -o $VLAN --opcode request -j mangle --mangle-ip-s  $ARP_IP 
90

  
91
      ip route del default via $GATEWAY dev $VLAN table $TABLE
92
      ip route del $SUBNET dev $VLAN table $TABLE
93

  
94
      ip route del $SUBNET dev $VLAN table main 
95

  
96
      ip rule del iif $VLAN table $TABLE
97
      sed -i 's/.*'"$TABLE"'$//' /etc/iproute2/rt_tables
98
    fi
99
  fi
100

  
101

  
102

  
103
  if [ "$MODE" == "bridged" ]; then
104
    BRIDGE=$LINK
105
    if [ ! -z $GATEWAY ]; then
106
      if [ $TYPE == "private" ]; then 
107
        if [ $(hostname) == $ROUTER ]; then
108
          NETMASK=$(ipcalc $SUBNET | grep Netmask | awk '{print $4}')
109
          ip addr del $GATEWAY/$NETMASK dev $BRIDGE
110
          iptables -t nat -D POSTROUTING -s $SUBNET \! -d 192.168.0.0/16 -j MASQUERADE
111
        fi  
112
      fi
113
    fi
114
  fi
115
  
116
  rm $MAPFILE
117

  
118
fi
b/hooks/network-add-post.d/snf-network
1
#!/bin/bash
2

  
3
source /etc/default/snf-network
4

  
5

  
6
NETFILE=$SHAREDDIR/networks/$NETWORK
7

  
8

  
9
cat > $NETFILE <<EOF
10
NETWORK=$GANETI_NETWORK_NAME
11
SUBNET=$GANETI_NETWORK_SUBNET
12
GATEWAY=$GANETI_NETWORK_GATEWAY
13

  
14
SUBNET6=$GANETI_NETWORK_SUBNET6
15
GATEWAY6=$GANETI_NETWORK_GATEWAY6
16

  
17
MAC_PREFIX=$GANETI_NETWORK_MAC_PREFIX
18

  
19
TYPE=$GANETI_NETWORK_TYPE
20
EOF
21

  
22

  
b/kvm-vif-bridge
7 7
MAC2EUI64=/usr/bin/mac2eui64
8 8
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd
9 9

  
10
function clear_tap {
11
 
12
 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
13
 while ip rule del dev $INTERFACE; do :; done
14
 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
15

  
16

  
17
}
18

  
10 19
function routed_setup_ipv4 {
11 20
	# get the link's default gateway
12 21
	gw=$(ip route list table $TABLE | sed -n 's/default via \([^ ]\+\).*/\1/p' | head -1)
13 22

  
14 23
	# mangle ARPs to come from the gw's IP
15
	arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
16 24
	arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$gw"
17 25

  
18 26
	# route interface to the proper routing table
19
	while ip rule del dev $INTERFACE; do :; done
20 27
	ip rule add dev $INTERFACE table $TABLE
21 28

  
22 29
	# static route mapping IP -> INTERFACE
......
73 80
	fi
74 81
}
75 82

  
76
function routed_setup_nfdhcpd {
83
function setup_nfdhcpd {
77 84
	umask 022
78 85
	cat >$NFDHCPD_STATE_DIR/$INTERFACE <<EOF
79 86
IFACE=$1
......
85 92
EOF
86 93
}
87 94

  
88
function reset_ebtables {
95
function clear_ebtables {
89 96
  TAP=$INTERFACE
90 97
  FROM=FROM${TAP^^}
91 98
  TO=TO${TAP^^}
92 99
  
93
  ebtables -D INPUT -i $TAP -j $FROM
94
  ebtables -D FORWARD -i $TAP -j $FROM
95
  ebtables -D FORWARD -o $TAP -j $TO
96
  ebtables -D OUTPUT -o $TAP -j $TO
100
  exist=$(ebtables -L | grep $TAP)
97 101
  
98
  ebtables -X $FROM
99
  ebtables -X $TO
102
  if [ ! -z "$exist" ]; then
103
    ebtables -D INPUT -i $TAP -j $FROM
104
    ebtables -D FORWARD -i $TAP -j $FROM
105
    ebtables -D FORWARD -o $TAP -j $TO
106
    ebtables -D OUTPUT -o $TAP -j $TO
107

  
108
    ebtables -X $FROM
109
    ebtables -X $TO
110
  fi
100 111
}
101 112

  
102
function set_ebtables {
113
function setup_ebtables {
103 114
  TAP=$INTERFACE
104 115
  FROM=FROM${TAP^^}
105 116
  TO=TO${TAP^^}
106 117

  
107 118
  ebtables -N $FROM
119
  # do not allow changes in ip-mac pair
108 120
  ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
109 121
  ebtables -A $FROM -s \! $MAC -j DROP 
110
  ebtables -A INPUT -i $TAP -j $FROM 
111 122
  ebtables -A FORWARD -i $TAP -j $FROM 
112 123
  ebtables -N $TO
113 124
  ebtables -A FORWARD -o $TAP -j $TO
114
  ebtables -A OUTPUT -o $TAP -j $TO
115 125
  #accept dhcp responses from host (nfdhcpd)
116 126
  ebtables -A $TO -p ipv4 --ip-protocol=udp  --ip-destination-port=68 -j ACCEPT
117 127
  if [ $TYPE == "private" ]; then 
118
    ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP 
119 128
    if [ ! -z $GATEWAY ]; then 
129
      # allow packets from/to router (for masquerading
120 130
      ebtables -A $TO -s $ROUTER_MAC -j ACCEPT 
131
      ebtables -A INPUT -i $TAP -j $FROM 
132
      ebtables -A OUTPUT -o $TAP -j $TO
121 133
    fi
134
    # allow only packets from the same mac prefix 
135
    ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP 
122 136
  fi
123 137
}
124 138

  
125 139
#FIXME: import router mac from the config files
126 140
#       must know node group!! how???
127
ROUTER_MAC=6e:10:e1:a0:c3:0f
141
ROUTER_MAC=e4:11:5b:b2:8d:ca
128 142
MAC_MASK=ff:ff:ff:0:0:0
129 143

  
130 144
TABLE=rt_$NETWORK
......
134 148

  
135 149
if [ "$MODE" = "routed" ]; then
136 150
	# special proxy-ARP/NDP routing mode
137

  
151
  clear_tap
138 152
	# use a constant predefined MAC address for the tap
139 153
	ip link set $INTERFACE addr $TAP_CONSTANT_MAC
140 154
	# bring the tap up
141 155
	ifconfig $INTERFACE 0.0.0.0 up
142 156

  
143 157
	# Drop unicast BOOTP/DHCP packets
144
	iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
145 158
	iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
146 159

  
147 160
	routed_setup_ipv4
148
	routed_setup_ipv6
149
	routed_setup_firewall
150
	routed_setup_nfdhcpd $INTERFACE
151
  reset_ebtables
161
#	routed_setup_ipv6
162
#	routed_setup_firewall
163
	setup_nfdhcpd $INTERFACE
164
  clear_ebtables >/dev/null 2>&1
152 165
elif [ "$MODE" = "bridged" ]; then
153
  while ip rule del dev $INTERFACE; do :; done
166
  clear_tap
167
  clear_ebtables >/dev/null 2>&1
154 168
	ifconfig $INTERFACE 0.0.0.0 up
155 169
	brctl addif $BRIDGE $INTERFACE
156
	routed_setup_nfdhcpd $BRIDGE
157
  reset_ebtables
158
  set_ebtables
170
	setup_nfdhcpd $BRIDGE
171
  setup_ebtables
159 172
fi   
/dev/null
1
#
2
# reserved values
3
#
4
255 local
5
254 main
6
253 default
7
0 unspec
8
#
9
# local
10
#
11
#1  inr.ruhep
12
# dev.grnet.gr, routing table used
13
# for the public IP space allocated to Synnefo VMs
14
# This *must* match the name of the link
15
# in gnt-network for nfdhcpd to work properly.
16
44  rt_net100
17
45  rt_net101
18
46  rt_public
b/unconfigure-interfaces
1
#!/bin/bash
2

  
3
source /etc/default/snf-network
4

  
5
HOSTNAME=$(hostname)
6

  
7

  
8
INTERFACES=$SHAREDDIR/interfaces/$HOSTNAME
9
INFRA=$SHAREDDIR/infra/$HOSTNAME
10

  
11
if [ -e $INFRA ]; then
12
  source $INFRA
13
fi
14

  
15
ifdown -i $INTERFACES -a --force
16

  

Also available in: Unified diff