Revision 9bd377b2
b/kvm-vif-bridge | ||
---|---|---|
50 | 50 |
function routed_setup_ipv4 { |
51 | 51 |
|
52 | 52 |
# mangle ARPs to come from the gw's IP |
53 |
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$GATEWAY" |
|
53 |
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
|
|
54 | 54 |
|
55 | 55 |
# route interface to the proper routing table |
56 |
ip rule add dev $INTERFACE table $TABLE
|
|
56 |
ip rule add dev $INTERFACE table $TABLE |
|
57 | 57 |
|
58 | 58 |
# static route mapping IP -> INTERFACE |
59 | 59 |
ip route replace $IP proto static dev $INTERFACE table $TABLE |
... | ... | |
64 | 64 |
|
65 | 65 |
function routed_setup_ipv6 { |
66 | 66 |
# Add a routing entry for the eui-64 |
67 |
prefix=$SUBNET6 |
|
67 |
prefix=$NETWORK_SUBNET6
|
|
68 | 68 |
uplink=$PUBLIC_VLAN |
69 | 69 |
eui64=$($MAC2EUI64 $MAC $prefix) |
70 | 70 |
|
71 |
|
|
71 |
|
|
72 | 72 |
ip -6 rule add dev $INTERFACE table $TABLE |
73 | 73 |
ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE |
74 |
ip -6 neigh add proxy $eui64 dev $uplink
|
|
74 |
ip -6 neigh add proxy $eui64 dev $uplink |
|
75 | 75 |
|
76 | 76 |
# disable proxy NDP since we're handling this on userspace |
77 | 77 |
# this should be the default, but better safe than sorry |
... | ... | |
119 | 119 |
ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT |
120 | 120 |
# allow only packets from the same mac prefix |
121 | 121 |
ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP |
122 |
if [ $ENABLE_MASQ -a -n "$GATEWAY" ]; then |
|
123 |
# allow packets from/to router (for masquerading) |
|
124 |
ebtables -A $TO -s $PUBLIC_MAC -j ACCEPT |
|
125 |
ebtables -A INPUT -i $TAP -j $FROM |
|
126 |
ebtables -A OUTPUT -o $TAP -j $TO |
|
127 |
fi |
|
128 | 122 |
} |
129 | 123 |
|
124 |
function setup_masq { |
|
125 |
TAP=$INTERFACE |
|
126 |
FROM=FROM${TAP^^} |
|
127 |
TO=TO${TAP^^} |
|
128 |
|
|
129 |
# allow packets from/to router (for masquerading) |
|
130 |
ebtables -A $TO -s $PUBLIC_MAC -j ACCEPT |
|
131 |
ebtables -A INPUT -i $TAP -j $FROM |
|
132 |
ebtables -A OUTPUT -o $TAP -j $TO |
|
133 |
} |
|
130 | 134 |
|
131 | 135 |
function setup_nfdhcpd { |
132 | 136 |
umask 022 |
... | ... | |
135 | 139 |
#needed in bridged mode where the packets seems to arrive from the |
136 | 140 |
#bridge and not from the tap |
137 | 141 |
cat >$FILE <<EOF |
138 |
INDEV=$1
|
|
142 |
INDEV=$INDEV
|
|
139 | 143 |
IP=$IP |
140 | 144 |
MAC=$MAC |
141 | 145 |
HOSTNAME=$INSTANCE |
142 | 146 |
TAGS="$TAGS" |
143 |
GATEWAY=$GATEWAY |
|
144 |
SUBNET=$SUBNET
|
|
145 |
GATEWAY6=$GATEWAY6
|
|
146 |
SUBNET6=$SUBNET6
|
|
147 |
EUI64=$($MAC2EUI64 $MAC $SUBNET6 2>/dev/null) |
|
147 |
GATEWAY=$NETWORK_GATEWAY
|
|
148 |
SUBNET=$NETWORK_SUBNET
|
|
149 |
GATEWAY6=$NETWORK_GATEWAY6
|
|
150 |
SUBNET6=$NETWORK_SUBNET6
|
|
151 |
EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
|
|
148 | 152 |
EOF |
149 | 153 |
|
150 | 154 |
} |
... | ... | |
158 | 162 |
|
159 | 163 |
source $INFRA |
160 | 164 |
|
165 |
log-env |
|
161 | 166 |
|
162 | 167 |
clear_routed_setup_ipv4 > /dev/null 2>&1 |
163 | 168 |
clear_routed_setup_ipv6 > /dev/null 2>&1 |
... | ... | |
166 | 171 |
|
167 | 172 |
if [ "$MODE" = "routed" ]; then |
168 | 173 |
TABLE=$LINK |
169 |
# use a constant predefined MAC address for the tap |
|
170 |
ip link set $INTERFACE addr $TAP_CONSTANT_MAC |
|
171 |
# bring the tap up |
|
172 |
ifconfig $INTERFACE 0.0.0.0 up |
|
173 |
|
|
174 |
# Drop unicast BOOTP/DHCP packets |
|
175 |
iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
|
176 |
|
|
177 |
routed_setup_ipv4 > /dev/null 2>&1 |
|
178 |
routed_setup_ipv6 > /dev/null 2>&1 |
|
179 |
routed_setup_firewall > /dev/null 2>&1 |
|
180 |
setup_nfdhcpd $INTERFACE |
|
174 |
ip link set $INTERFACE addr $TAP_CONSTANT_MAC up |
|
175 |
INDEV=$INTERFACE |
|
181 | 176 |
elif [ "$MODE" = "bridged" ]; then |
182 |
ifconfig $INTERFACE 0.0.0.0 up
|
|
177 |
ip link set $INTERFACE up
|
|
183 | 178 |
brctl addif $BRIDGE $INTERFACE |
184 |
setup_nfdhcpd $BRIDGE |
|
185 |
if [ $ENABLE_EBTABLES -a "$TYPE" = "private-filtered" ]; then |
|
186 |
setup_ebtables > /dev/null 2>&1 |
|
187 |
fi |
|
179 |
INDEV=$BRIDGE |
|
188 | 180 |
fi |
181 |
|
|
182 |
|
|
183 |
for tag in $NETWORK_TAGS; do |
|
184 |
case $tag in |
|
185 |
ip-less-routed) |
|
186 |
routed_setup_ipv4 > /dev/null 2>&1 |
|
187 |
routed_setup_ipv6 > /dev/null 2>&1 |
|
188 |
routed_setup_firewall > /dev/null 2>&1 |
|
189 |
;; |
|
190 |
nfdhcpd) |
|
191 |
# Drop unicast BOOTP/DHCP packets |
|
192 |
iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
|
193 |
setup_nfdhcpd > /dev/null 2>&1 |
|
194 |
;; |
|
195 |
mac-filtered) |
|
196 |
setup_ebtables > /dev/null 2>&1 |
|
197 |
;; |
|
198 |
masq) |
|
199 |
setup_masq > /dev/null 2>&1 |
|
200 |
;; |
|
201 |
esac |
|
202 |
done |
|
203 |
|
Also available in: Unified diff