Revision 7d163a24 kvm-vif-bridge
| b/kvm-vif-bridge | ||
|---|---|---|
| 7 | 7 |
MAC2EUI64=/usr/bin/mac2eui64 |
| 8 | 8 |
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd |
| 9 | 9 |
|
| 10 |
function clear_tap {
|
|
| 11 |
|
|
| 12 |
arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1 |
|
| 13 |
while ip rule del dev $INTERFACE; do :; done |
|
| 14 |
iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null |
|
| 15 |
|
|
| 16 |
|
|
| 17 |
} |
|
| 18 |
|
|
| 10 | 19 |
function routed_setup_ipv4 {
|
| 11 | 20 |
# get the link's default gateway |
| 12 | 21 |
gw=$(ip route list table $TABLE | sed -n 's/default via \([^ ]\+\).*/\1/p' | head -1) |
| 13 | 22 |
|
| 14 | 23 |
# mangle ARPs to come from the gw's IP |
| 15 |
arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1 |
|
| 16 | 24 |
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$gw" |
| 17 | 25 |
|
| 18 | 26 |
# route interface to the proper routing table |
| 19 |
while ip rule del dev $INTERFACE; do :; done |
|
| 20 | 27 |
ip rule add dev $INTERFACE table $TABLE |
| 21 | 28 |
|
| 22 | 29 |
# static route mapping IP -> INTERFACE |
| ... | ... | |
| 73 | 80 |
fi |
| 74 | 81 |
} |
| 75 | 82 |
|
| 76 |
function routed_setup_nfdhcpd {
|
|
| 83 |
function setup_nfdhcpd {
|
|
| 77 | 84 |
umask 022 |
| 78 | 85 |
cat >$NFDHCPD_STATE_DIR/$INTERFACE <<EOF |
| 79 | 86 |
IFACE=$1 |
| ... | ... | |
| 85 | 92 |
EOF |
| 86 | 93 |
} |
| 87 | 94 |
|
| 88 |
function reset_ebtables {
|
|
| 95 |
function clear_ebtables {
|
|
| 89 | 96 |
TAP=$INTERFACE |
| 90 | 97 |
FROM=FROM${TAP^^}
|
| 91 | 98 |
TO=TO${TAP^^}
|
| 92 | 99 |
|
| 93 |
ebtables -D INPUT -i $TAP -j $FROM |
|
| 94 |
ebtables -D FORWARD -i $TAP -j $FROM |
|
| 95 |
ebtables -D FORWARD -o $TAP -j $TO |
|
| 96 |
ebtables -D OUTPUT -o $TAP -j $TO |
|
| 100 |
exist=$(ebtables -L | grep $TAP) |
|
| 97 | 101 |
|
| 98 |
ebtables -X $FROM |
|
| 99 |
ebtables -X $TO |
|
| 102 |
if [ ! -z "$exist" ]; then |
|
| 103 |
ebtables -D INPUT -i $TAP -j $FROM |
|
| 104 |
ebtables -D FORWARD -i $TAP -j $FROM |
|
| 105 |
ebtables -D FORWARD -o $TAP -j $TO |
|
| 106 |
ebtables -D OUTPUT -o $TAP -j $TO |
|
| 107 |
|
|
| 108 |
ebtables -X $FROM |
|
| 109 |
ebtables -X $TO |
|
| 110 |
fi |
|
| 100 | 111 |
} |
| 101 | 112 |
|
| 102 |
function set_ebtables {
|
|
| 113 |
function setup_ebtables {
|
|
| 103 | 114 |
TAP=$INTERFACE |
| 104 | 115 |
FROM=FROM${TAP^^}
|
| 105 | 116 |
TO=TO${TAP^^}
|
| 106 | 117 |
|
| 107 | 118 |
ebtables -N $FROM |
| 119 |
# do not allow changes in ip-mac pair |
|
| 108 | 120 |
ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP |
| 109 | 121 |
ebtables -A $FROM -s \! $MAC -j DROP |
| 110 |
ebtables -A INPUT -i $TAP -j $FROM |
|
| 111 | 122 |
ebtables -A FORWARD -i $TAP -j $FROM |
| 112 | 123 |
ebtables -N $TO |
| 113 | 124 |
ebtables -A FORWARD -o $TAP -j $TO |
| 114 |
ebtables -A OUTPUT -o $TAP -j $TO |
|
| 115 | 125 |
#accept dhcp responses from host (nfdhcpd) |
| 116 | 126 |
ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT |
| 117 | 127 |
if [ $TYPE == "private" ]; then |
| 118 |
ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP |
|
| 119 | 128 |
if [ ! -z $GATEWAY ]; then |
| 129 |
# allow packets from/to router (for masquerading |
|
| 120 | 130 |
ebtables -A $TO -s $ROUTER_MAC -j ACCEPT |
| 131 |
ebtables -A INPUT -i $TAP -j $FROM |
|
| 132 |
ebtables -A OUTPUT -o $TAP -j $TO |
|
| 121 | 133 |
fi |
| 134 |
# allow only packets from the same mac prefix |
|
| 135 |
ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP |
|
| 122 | 136 |
fi |
| 123 | 137 |
} |
| 124 | 138 |
|
| 125 | 139 |
#FIXME: import router mac from the config files |
| 126 | 140 |
# must know node group!! how??? |
| 127 |
ROUTER_MAC=6e:10:e1:a0:c3:0f
|
|
| 141 |
ROUTER_MAC=e4:11:5b:b2:8d:ca
|
|
| 128 | 142 |
MAC_MASK=ff:ff:ff:0:0:0 |
| 129 | 143 |
|
| 130 | 144 |
TABLE=rt_$NETWORK |
| ... | ... | |
| 134 | 148 |
|
| 135 | 149 |
if [ "$MODE" = "routed" ]; then |
| 136 | 150 |
# special proxy-ARP/NDP routing mode |
| 137 |
|
|
| 151 |
clear_tap |
|
| 138 | 152 |
# use a constant predefined MAC address for the tap |
| 139 | 153 |
ip link set $INTERFACE addr $TAP_CONSTANT_MAC |
| 140 | 154 |
# bring the tap up |
| 141 | 155 |
ifconfig $INTERFACE 0.0.0.0 up |
| 142 | 156 |
|
| 143 | 157 |
# Drop unicast BOOTP/DHCP packets |
| 144 |
iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null |
|
| 145 | 158 |
iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
| 146 | 159 |
|
| 147 | 160 |
routed_setup_ipv4 |
| 148 |
routed_setup_ipv6 |
|
| 149 |
routed_setup_firewall |
|
| 150 |
routed_setup_nfdhcpd $INTERFACE
|
|
| 151 |
reset_ebtables
|
|
| 161 |
# routed_setup_ipv6
|
|
| 162 |
# routed_setup_firewall
|
|
| 163 |
setup_nfdhcpd $INTERFACE |
|
| 164 |
clear_ebtables >/dev/null 2>&1
|
|
| 152 | 165 |
elif [ "$MODE" = "bridged" ]; then |
| 153 |
while ip rule del dev $INTERFACE; do :; done |
|
| 166 |
clear_tap |
|
| 167 |
clear_ebtables >/dev/null 2>&1 |
|
| 154 | 168 |
ifconfig $INTERFACE 0.0.0.0 up |
| 155 | 169 |
brctl addif $BRIDGE $INTERFACE |
| 156 |
routed_setup_nfdhcpd $BRIDGE |
|
| 157 |
reset_ebtables |
|
| 158 |
set_ebtables |
|
| 170 |
setup_nfdhcpd $BRIDGE |
|
| 171 |
setup_ebtables |
|
| 159 | 172 |
fi |
Also available in: Unified diff