root / kvm-vif-bridge @ cf51ea5b
History | View | Annotate | Download (4.1 kB)
| 1 | cf51ea5b | Dimitris Aragiorgis | #!/bin/bash |
|---|---|---|---|
| 2 | cf51ea5b | Dimitris Aragiorgis | |
| 3 | cf51ea5b | Dimitris Aragiorgis | # This is an example of a Ganeti kvm ifup script that configures network |
| 4 | cf51ea5b | Dimitris Aragiorgis | # interfaces based on the initial deployment of the Okeanos project |
| 5 | cf51ea5b | Dimitris Aragiorgis | |
| 6 | cf51ea5b | Dimitris Aragiorgis | TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-) |
| 7 | cf51ea5b | Dimitris Aragiorgis | MAC2EUI64=/usr/bin/mac2eui64 |
| 8 | cf51ea5b | Dimitris Aragiorgis | NFDHCPD_STATE_DIR=/var/lib/nfdhcpd |
| 9 | cf51ea5b | Dimitris Aragiorgis | |
| 10 | cf51ea5b | Dimitris Aragiorgis | function routed_setup_ipv4 {
|
| 11 | cf51ea5b | Dimitris Aragiorgis | # get the link's default gateway |
| 12 | cf51ea5b | Dimitris Aragiorgis | gw=$(ip route list table $TABLE | sed -n 's/default via \([^ ]\+\).*/\1/p' | head -1) |
| 13 | cf51ea5b | Dimitris Aragiorgis | |
| 14 | cf51ea5b | Dimitris Aragiorgis | # mangle ARPs to come from the gw's IP |
| 15 | cf51ea5b | Dimitris Aragiorgis | arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1 |
| 16 | cf51ea5b | Dimitris Aragiorgis | arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$gw" |
| 17 | cf51ea5b | Dimitris Aragiorgis | |
| 18 | cf51ea5b | Dimitris Aragiorgis | # route interface to the proper routing table |
| 19 | cf51ea5b | Dimitris Aragiorgis | while ip rule del dev $INTERFACE; do :; done |
| 20 | cf51ea5b | Dimitris Aragiorgis | ip rule add dev $INTERFACE table $TABLE |
| 21 | cf51ea5b | Dimitris Aragiorgis | |
| 22 | cf51ea5b | Dimitris Aragiorgis | # static route mapping IP -> INTERFACE |
| 23 | cf51ea5b | Dimitris Aragiorgis | ip route replace $IP proto static dev $INTERFACE table $TABLE |
| 24 | cf51ea5b | Dimitris Aragiorgis | |
| 25 | cf51ea5b | Dimitris Aragiorgis | # Enable proxy ARP |
| 26 | cf51ea5b | Dimitris Aragiorgis | echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp |
| 27 | cf51ea5b | Dimitris Aragiorgis | } |
| 28 | cf51ea5b | Dimitris Aragiorgis | |
| 29 | cf51ea5b | Dimitris Aragiorgis | function routed_setup_ipv6 {
|
| 30 | cf51ea5b | Dimitris Aragiorgis | # Add a routing entry for the eui-64 |
| 31 | cf51ea5b | Dimitris Aragiorgis | prefix=$(ip -6 route list table $TABLE | awk '/\/64/ {print $1; exit}')
|
| 32 | cf51ea5b | Dimitris Aragiorgis | uplink=$(ip -6 route list table $TABLE | sed -n 's/default via .* dev \([^ ]\+\).*/\1/p' | head -1) |
| 33 | cf51ea5b | Dimitris Aragiorgis | eui64=$($MAC2EUI64 $MAC $prefix) |
| 34 | cf51ea5b | Dimitris Aragiorgis | |
| 35 | cf51ea5b | Dimitris Aragiorgis | while ip -6 rule del dev $INTERFACE; do :; done |
| 36 | cf51ea5b | Dimitris Aragiorgis | ip -6 rule add dev $INTERFACE table $TABLE |
| 37 | cf51ea5b | Dimitris Aragiorgis | ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE |
| 38 | cf51ea5b | Dimitris Aragiorgis | ip -6 neigh add proxy $eui64 dev $uplink |
| 39 | cf51ea5b | Dimitris Aragiorgis | |
| 40 | cf51ea5b | Dimitris Aragiorgis | # disable proxy NDP since we're handling this on userspace |
| 41 | cf51ea5b | Dimitris Aragiorgis | # this should be the default, but better safe than sorry |
| 42 | cf51ea5b | Dimitris Aragiorgis | echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp |
| 43 | cf51ea5b | Dimitris Aragiorgis | } |
| 44 | cf51ea5b | Dimitris Aragiorgis | |
| 45 | cf51ea5b | Dimitris Aragiorgis | # pick a firewall profile per NIC, based on tags (and apply it) |
| 46 | cf51ea5b | Dimitris Aragiorgis | function routed_setup_firewall {
|
| 47 | cf51ea5b | Dimitris Aragiorgis | ifprefix="synnefo:network:$INTERFACE_INDEX:" |
| 48 | cf51ea5b | Dimitris Aragiorgis | for tag in $TAGS; do |
| 49 | cf51ea5b | Dimitris Aragiorgis | case ${tag#$ifprefix} in
|
| 50 | cf51ea5b | Dimitris Aragiorgis | protected) |
| 51 | cf51ea5b | Dimitris Aragiorgis | chain=protected |
| 52 | cf51ea5b | Dimitris Aragiorgis | ;; |
| 53 | cf51ea5b | Dimitris Aragiorgis | unprotected) |
| 54 | cf51ea5b | Dimitris Aragiorgis | chain=unprotected |
| 55 | cf51ea5b | Dimitris Aragiorgis | ;; |
| 56 | cf51ea5b | Dimitris Aragiorgis | limited) |
| 57 | cf51ea5b | Dimitris Aragiorgis | chain=limited |
| 58 | cf51ea5b | Dimitris Aragiorgis | ;; |
| 59 | cf51ea5b | Dimitris Aragiorgis | esac |
| 60 | cf51ea5b | Dimitris Aragiorgis | done |
| 61 | cf51ea5b | Dimitris Aragiorgis | |
| 62 | cf51ea5b | Dimitris Aragiorgis | # Flush any old rules. We have to consider all chains, since |
| 63 | cf51ea5b | Dimitris Aragiorgis | # we are not sure the instance was on the same chain, or had the same |
| 64 | cf51ea5b | Dimitris Aragiorgis | # tap interface. |
| 65 | cf51ea5b | Dimitris Aragiorgis | for oldchain in protected unprotected limited; do |
| 66 | cf51ea5b | Dimitris Aragiorgis | iptables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null |
| 67 | cf51ea5b | Dimitris Aragiorgis | ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null |
| 68 | cf51ea5b | Dimitris Aragiorgis | done |
| 69 | cf51ea5b | Dimitris Aragiorgis | |
| 70 | cf51ea5b | Dimitris Aragiorgis | if [ "x$chain" != "x" ]; then |
| 71 | cf51ea5b | Dimitris Aragiorgis | iptables -A FORWARD -o $INTERFACE -j $chain |
| 72 | cf51ea5b | Dimitris Aragiorgis | ip6tables -A FORWARD -o $INTERFACE -j $chain |
| 73 | cf51ea5b | Dimitris Aragiorgis | fi |
| 74 | cf51ea5b | Dimitris Aragiorgis | } |
| 75 | cf51ea5b | Dimitris Aragiorgis | |
| 76 | cf51ea5b | Dimitris Aragiorgis | function routed_setup_nfdhcpd {
|
| 77 | cf51ea5b | Dimitris Aragiorgis | umask 022 |
| 78 | cf51ea5b | Dimitris Aragiorgis | cat >$NFDHCPD_STATE_DIR/$INTERFACE <<EOF |
| 79 | cf51ea5b | Dimitris Aragiorgis | IFACE=$1 |
| 80 | cf51ea5b | Dimitris Aragiorgis | IP=$IP |
| 81 | cf51ea5b | Dimitris Aragiorgis | MAC=$MAC |
| 82 | cf51ea5b | Dimitris Aragiorgis | LINK=$TABLE |
| 83 | cf51ea5b | Dimitris Aragiorgis | HOSTNAME=$INSTANCE |
| 84 | cf51ea5b | Dimitris Aragiorgis | TAGS="$TAGS" |
| 85 | cf51ea5b | Dimitris Aragiorgis | EOF |
| 86 | cf51ea5b | Dimitris Aragiorgis | } |
| 87 | cf51ea5b | Dimitris Aragiorgis | |
| 88 | cf51ea5b | Dimitris Aragiorgis | function make_ebtables {
|
| 89 | cf51ea5b | Dimitris Aragiorgis | TAP=$INTERFACE |
| 90 | cf51ea5b | Dimitris Aragiorgis | FROM=FROM${TAP^^}
|
| 91 | cf51ea5b | Dimitris Aragiorgis | TO=TO${TAP^^}
|
| 92 | cf51ea5b | Dimitris Aragiorgis | |
| 93 | cf51ea5b | Dimitris Aragiorgis | ebtables -D INPUT -i $TAP -j $FROM |
| 94 | cf51ea5b | Dimitris Aragiorgis | ebtables -D FORWARD -i $TAP -j $FROM |
| 95 | cf51ea5b | Dimitris Aragiorgis | ebtables -D FORWARD -o $TAP -j $TO |
| 96 | cf51ea5b | Dimitris Aragiorgis | ebtables -D OUTPUT -o $TAP -j $TO |
| 97 | cf51ea5b | Dimitris Aragiorgis | |
| 98 | cf51ea5b | Dimitris Aragiorgis | ebtables -X $FROM |
| 99 | cf51ea5b | Dimitris Aragiorgis | ebtables -X $TO |
| 100 | cf51ea5b | Dimitris Aragiorgis | |
| 101 | cf51ea5b | Dimitris Aragiorgis | ebtables -N $FROM |
| 102 | cf51ea5b | Dimitris Aragiorgis | ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP |
| 103 | cf51ea5b | Dimitris Aragiorgis | ebtables -A $FROM -s \! $MAC -j DROP |
| 104 | cf51ea5b | Dimitris Aragiorgis | ebtables -A INPUT -i $TAP -j $FROM |
| 105 | cf51ea5b | Dimitris Aragiorgis | ebtables -A FORWARD -i $TAP -j $FROM |
| 106 | cf51ea5b | Dimitris Aragiorgis | ebtables -N $TO |
| 107 | cf51ea5b | Dimitris Aragiorgis | ebtables -A FORWARD -o $TAP -j $TO |
| 108 | cf51ea5b | Dimitris Aragiorgis | ebtables -A OUTPUT -o $TAP -j $TO |
| 109 | cf51ea5b | Dimitris Aragiorgis | if [ $TYPE == "private" ]; then |
| 110 | cf51ea5b | Dimitris Aragiorgis | ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP |
| 111 | cf51ea5b | Dimitris Aragiorgis | if [ ! -z $GATEWAY ]; then |
| 112 | cf51ea5b | Dimitris Aragiorgis | ebtables -A $TO -s $ROUTER_MAC -j ACCEPT |
| 113 | cf51ea5b | Dimitris Aragiorgis | fi |
| 114 | cf51ea5b | Dimitris Aragiorgis | fi |
| 115 | cf51ea5b | Dimitris Aragiorgis | } |
| 116 | cf51ea5b | Dimitris Aragiorgis | |
| 117 | cf51ea5b | Dimitris Aragiorgis | #FIXME: import router mac from the config files |
| 118 | cf51ea5b | Dimitris Aragiorgis | # must know node group!! how??? |
| 119 | cf51ea5b | Dimitris Aragiorgis | ROUTER_MAC=6e:10:e1:a0:c3:0f |
| 120 | cf51ea5b | Dimitris Aragiorgis | MAC_MASK=ff:ff:ff:0:0:0 |
| 121 | cf51ea5b | Dimitris Aragiorgis | |
| 122 | cf51ea5b | Dimitris Aragiorgis | TABLE=rt_$NETWORK |
| 123 | cf51ea5b | Dimitris Aragiorgis | |
| 124 | cf51ea5b | Dimitris Aragiorgis | source /var/lib/snf-network/networks/$NETWORK |
| 125 | cf51ea5b | Dimitris Aragiorgis | |
| 126 | cf51ea5b | Dimitris Aragiorgis | |
| 127 | cf51ea5b | Dimitris Aragiorgis | if [ "$MODE" = "routed" ]; then |
| 128 | cf51ea5b | Dimitris Aragiorgis | # special proxy-ARP/NDP routing mode |
| 129 | cf51ea5b | Dimitris Aragiorgis | |
| 130 | cf51ea5b | Dimitris Aragiorgis | # use a constant predefined MAC address for the tap |
| 131 | cf51ea5b | Dimitris Aragiorgis | ip link set $INTERFACE addr $TAP_CONSTANT_MAC |
| 132 | cf51ea5b | Dimitris Aragiorgis | # bring the tap up |
| 133 | cf51ea5b | Dimitris Aragiorgis | ifconfig $INTERFACE 0.0.0.0 up |
| 134 | cf51ea5b | Dimitris Aragiorgis | |
| 135 | cf51ea5b | Dimitris Aragiorgis | # Drop unicast BOOTP/DHCP packets |
| 136 | cf51ea5b | Dimitris Aragiorgis | iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null |
| 137 | cf51ea5b | Dimitris Aragiorgis | iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
| 138 | cf51ea5b | Dimitris Aragiorgis | |
| 139 | cf51ea5b | Dimitris Aragiorgis | routed_setup_ipv4 |
| 140 | cf51ea5b | Dimitris Aragiorgis | routed_setup_ipv6 |
| 141 | cf51ea5b | Dimitris Aragiorgis | routed_setup_firewall |
| 142 | cf51ea5b | Dimitris Aragiorgis | routed_setup_nfdhcpd $INTERFACE |
| 143 | cf51ea5b | Dimitris Aragiorgis | elif [ "$MODE" = "bridged" ]; then |
| 144 | cf51ea5b | Dimitris Aragiorgis | while ip rule del dev $INTERFACE; do :; done |
| 145 | cf51ea5b | Dimitris Aragiorgis | ifconfig $INTERFACE 0.0.0.0 up |
| 146 | cf51ea5b | Dimitris Aragiorgis | brctl addif $BRIDGE $INTERFACE |
| 147 | cf51ea5b | Dimitris Aragiorgis | routed_setup_nfdhcpd $BRIDGE |
| 148 | cf51ea5b | Dimitris Aragiorgis | make_ebtables |
| 149 | cf51ea5b | Dimitris Aragiorgis | fi |