Revision 9bd377b2
| b/kvm-vif-bridge | ||
|---|---|---|
| 50 | 50 |
function routed_setup_ipv4 {
|
| 51 | 51 |
|
| 52 | 52 |
# mangle ARPs to come from the gw's IP |
| 53 |
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$GATEWAY" |
|
| 53 |
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY"
|
|
| 54 | 54 |
|
| 55 | 55 |
# route interface to the proper routing table |
| 56 |
ip rule add dev $INTERFACE table $TABLE
|
|
| 56 |
ip rule add dev $INTERFACE table $TABLE |
|
| 57 | 57 |
|
| 58 | 58 |
# static route mapping IP -> INTERFACE |
| 59 | 59 |
ip route replace $IP proto static dev $INTERFACE table $TABLE |
| ... | ... | |
| 64 | 64 |
|
| 65 | 65 |
function routed_setup_ipv6 {
|
| 66 | 66 |
# Add a routing entry for the eui-64 |
| 67 |
prefix=$SUBNET6 |
|
| 67 |
prefix=$NETWORK_SUBNET6
|
|
| 68 | 68 |
uplink=$PUBLIC_VLAN |
| 69 | 69 |
eui64=$($MAC2EUI64 $MAC $prefix) |
| 70 | 70 |
|
| 71 |
|
|
| 71 |
|
|
| 72 | 72 |
ip -6 rule add dev $INTERFACE table $TABLE |
| 73 | 73 |
ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE |
| 74 |
ip -6 neigh add proxy $eui64 dev $uplink
|
|
| 74 |
ip -6 neigh add proxy $eui64 dev $uplink |
|
| 75 | 75 |
|
| 76 | 76 |
# disable proxy NDP since we're handling this on userspace |
| 77 | 77 |
# this should be the default, but better safe than sorry |
| ... | ... | |
| 119 | 119 |
ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT |
| 120 | 120 |
# allow only packets from the same mac prefix |
| 121 | 121 |
ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP |
| 122 |
if [ $ENABLE_MASQ -a -n "$GATEWAY" ]; then |
|
| 123 |
# allow packets from/to router (for masquerading) |
|
| 124 |
ebtables -A $TO -s $PUBLIC_MAC -j ACCEPT |
|
| 125 |
ebtables -A INPUT -i $TAP -j $FROM |
|
| 126 |
ebtables -A OUTPUT -o $TAP -j $TO |
|
| 127 |
fi |
|
| 128 | 122 |
} |
| 129 | 123 |
|
| 124 |
function setup_masq {
|
|
| 125 |
TAP=$INTERFACE |
|
| 126 |
FROM=FROM${TAP^^}
|
|
| 127 |
TO=TO${TAP^^}
|
|
| 128 |
|
|
| 129 |
# allow packets from/to router (for masquerading) |
|
| 130 |
ebtables -A $TO -s $PUBLIC_MAC -j ACCEPT |
|
| 131 |
ebtables -A INPUT -i $TAP -j $FROM |
|
| 132 |
ebtables -A OUTPUT -o $TAP -j $TO |
|
| 133 |
} |
|
| 130 | 134 |
|
| 131 | 135 |
function setup_nfdhcpd {
|
| 132 | 136 |
umask 022 |
| ... | ... | |
| 135 | 139 |
#needed in bridged mode where the packets seems to arrive from the |
| 136 | 140 |
#bridge and not from the tap |
| 137 | 141 |
cat >$FILE <<EOF |
| 138 |
INDEV=$1
|
|
| 142 |
INDEV=$INDEV
|
|
| 139 | 143 |
IP=$IP |
| 140 | 144 |
MAC=$MAC |
| 141 | 145 |
HOSTNAME=$INSTANCE |
| 142 | 146 |
TAGS="$TAGS" |
| 143 |
GATEWAY=$GATEWAY |
|
| 144 |
SUBNET=$SUBNET
|
|
| 145 |
GATEWAY6=$GATEWAY6
|
|
| 146 |
SUBNET6=$SUBNET6
|
|
| 147 |
EUI64=$($MAC2EUI64 $MAC $SUBNET6 2>/dev/null) |
|
| 147 |
GATEWAY=$NETWORK_GATEWAY
|
|
| 148 |
SUBNET=$NETWORK_SUBNET
|
|
| 149 |
GATEWAY6=$NETWORK_GATEWAY6
|
|
| 150 |
SUBNET6=$NETWORK_SUBNET6
|
|
| 151 |
EUI64=$($MAC2EUI64 $MAC $NETWORK_SUBNET6 2>/dev/null)
|
|
| 148 | 152 |
EOF |
| 149 | 153 |
|
| 150 | 154 |
} |
| ... | ... | |
| 158 | 162 |
|
| 159 | 163 |
source $INFRA |
| 160 | 164 |
|
| 165 |
log-env |
|
| 161 | 166 |
|
| 162 | 167 |
clear_routed_setup_ipv4 > /dev/null 2>&1 |
| 163 | 168 |
clear_routed_setup_ipv6 > /dev/null 2>&1 |
| ... | ... | |
| 166 | 171 |
|
| 167 | 172 |
if [ "$MODE" = "routed" ]; then |
| 168 | 173 |
TABLE=$LINK |
| 169 |
# use a constant predefined MAC address for the tap |
|
| 170 |
ip link set $INTERFACE addr $TAP_CONSTANT_MAC |
|
| 171 |
# bring the tap up |
|
| 172 |
ifconfig $INTERFACE 0.0.0.0 up |
|
| 173 |
|
|
| 174 |
# Drop unicast BOOTP/DHCP packets |
|
| 175 |
iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
|
| 176 |
|
|
| 177 |
routed_setup_ipv4 > /dev/null 2>&1 |
|
| 178 |
routed_setup_ipv6 > /dev/null 2>&1 |
|
| 179 |
routed_setup_firewall > /dev/null 2>&1 |
|
| 180 |
setup_nfdhcpd $INTERFACE |
|
| 174 |
ip link set $INTERFACE addr $TAP_CONSTANT_MAC up |
|
| 175 |
INDEV=$INTERFACE |
|
| 181 | 176 |
elif [ "$MODE" = "bridged" ]; then |
| 182 |
ifconfig $INTERFACE 0.0.0.0 up
|
|
| 177 |
ip link set $INTERFACE up
|
|
| 183 | 178 |
brctl addif $BRIDGE $INTERFACE |
| 184 |
setup_nfdhcpd $BRIDGE |
|
| 185 |
if [ $ENABLE_EBTABLES -a "$TYPE" = "private-filtered" ]; then |
|
| 186 |
setup_ebtables > /dev/null 2>&1 |
|
| 187 |
fi |
|
| 179 |
INDEV=$BRIDGE |
|
| 188 | 180 |
fi |
| 181 |
|
|
| 182 |
|
|
| 183 |
for tag in $NETWORK_TAGS; do |
|
| 184 |
case $tag in |
|
| 185 |
ip-less-routed) |
|
| 186 |
routed_setup_ipv4 > /dev/null 2>&1 |
|
| 187 |
routed_setup_ipv6 > /dev/null 2>&1 |
|
| 188 |
routed_setup_firewall > /dev/null 2>&1 |
|
| 189 |
;; |
|
| 190 |
nfdhcpd) |
|
| 191 |
# Drop unicast BOOTP/DHCP packets |
|
| 192 |
iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
|
| 193 |
setup_nfdhcpd > /dev/null 2>&1 |
|
| 194 |
;; |
|
| 195 |
mac-filtered) |
|
| 196 |
setup_ebtables > /dev/null 2>&1 |
|
| 197 |
;; |
|
| 198 |
masq) |
|
| 199 |
setup_masq > /dev/null 2>&1 |
|
| 200 |
;; |
|
| 201 |
esac |
|
| 202 |
done |
|
| 203 |
|
|
Also available in: Unified diff