root / kvm-vif-bridge @ d2b16e51
History | View | Annotate | Download (4.8 kB)
| 1 | cf51ea5b | Dimitris Aragiorgis | #!/bin/bash |
|---|---|---|---|
| 2 | cf51ea5b | Dimitris Aragiorgis | |
| 3 | cf51ea5b | Dimitris Aragiorgis | # This is an example of a Ganeti kvm ifup script that configures network |
| 4 | cf51ea5b | Dimitris Aragiorgis | # interfaces based on the initial deployment of the Okeanos project |
| 5 | cf51ea5b | Dimitris Aragiorgis | |
| 6 | cf51ea5b | Dimitris Aragiorgis | TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-) |
| 7 | cf51ea5b | Dimitris Aragiorgis | MAC2EUI64=/usr/bin/mac2eui64 |
| 8 | cf51ea5b | Dimitris Aragiorgis | NFDHCPD_STATE_DIR=/var/lib/nfdhcpd |
| 9 | cf51ea5b | Dimitris Aragiorgis | |
| 10 | d2b16e51 | Dimitris Aragiorgis | |
| 11 | d2b16e51 | Dimitris Aragiorgis | |
| 12 | 7d163a24 | Dimitris Aragiorgis | function clear_tap {
|
| 13 | d2b16e51 | Dimitris Aragiorgis | |
| 14 | 7d163a24 | Dimitris Aragiorgis | arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1 |
| 15 | 7d163a24 | Dimitris Aragiorgis | while ip rule del dev $INTERFACE; do :; done |
| 16 | 7d163a24 | Dimitris Aragiorgis | iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null |
| 17 | 7d163a24 | Dimitris Aragiorgis | |
| 18 | 7d163a24 | Dimitris Aragiorgis | |
| 19 | 7d163a24 | Dimitris Aragiorgis | } |
| 20 | 7d163a24 | Dimitris Aragiorgis | |
| 21 | cf51ea5b | Dimitris Aragiorgis | function routed_setup_ipv4 {
|
| 22 | cf51ea5b | Dimitris Aragiorgis | |
| 23 | cf51ea5b | Dimitris Aragiorgis | # mangle ARPs to come from the gw's IP |
| 24 | d2b16e51 | Dimitris Aragiorgis | arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$GATEWAY" |
| 25 | cf51ea5b | Dimitris Aragiorgis | |
| 26 | cf51ea5b | Dimitris Aragiorgis | # route interface to the proper routing table |
| 27 | cf51ea5b | Dimitris Aragiorgis | ip rule add dev $INTERFACE table $TABLE |
| 28 | cf51ea5b | Dimitris Aragiorgis | |
| 29 | cf51ea5b | Dimitris Aragiorgis | # static route mapping IP -> INTERFACE |
| 30 | cf51ea5b | Dimitris Aragiorgis | ip route replace $IP proto static dev $INTERFACE table $TABLE |
| 31 | cf51ea5b | Dimitris Aragiorgis | |
| 32 | cf51ea5b | Dimitris Aragiorgis | # Enable proxy ARP |
| 33 | cf51ea5b | Dimitris Aragiorgis | echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp |
| 34 | cf51ea5b | Dimitris Aragiorgis | } |
| 35 | cf51ea5b | Dimitris Aragiorgis | |
| 36 | cf51ea5b | Dimitris Aragiorgis | function routed_setup_ipv6 {
|
| 37 | cf51ea5b | Dimitris Aragiorgis | # Add a routing entry for the eui-64 |
| 38 | ed7f0f2a | Dimitris Aragiorgis | prefix=$SUBNET6 |
| 39 | ed7f0f2a | Dimitris Aragiorgis | uplink=$GATEWAY6 |
| 40 | cf51ea5b | Dimitris Aragiorgis | eui64=$($MAC2EUI64 $MAC $prefix) |
| 41 | cf51ea5b | Dimitris Aragiorgis | |
| 42 | cf51ea5b | Dimitris Aragiorgis | while ip -6 rule del dev $INTERFACE; do :; done |
| 43 | cf51ea5b | Dimitris Aragiorgis | ip -6 rule add dev $INTERFACE table $TABLE |
| 44 | cf51ea5b | Dimitris Aragiorgis | ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE |
| 45 | cf51ea5b | Dimitris Aragiorgis | ip -6 neigh add proxy $eui64 dev $uplink |
| 46 | cf51ea5b | Dimitris Aragiorgis | |
| 47 | cf51ea5b | Dimitris Aragiorgis | # disable proxy NDP since we're handling this on userspace |
| 48 | cf51ea5b | Dimitris Aragiorgis | # this should be the default, but better safe than sorry |
| 49 | cf51ea5b | Dimitris Aragiorgis | echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp |
| 50 | cf51ea5b | Dimitris Aragiorgis | } |
| 51 | cf51ea5b | Dimitris Aragiorgis | |
| 52 | cf51ea5b | Dimitris Aragiorgis | # pick a firewall profile per NIC, based on tags (and apply it) |
| 53 | cf51ea5b | Dimitris Aragiorgis | function routed_setup_firewall {
|
| 54 | cf51ea5b | Dimitris Aragiorgis | ifprefix="synnefo:network:$INTERFACE_INDEX:" |
| 55 | cf51ea5b | Dimitris Aragiorgis | for tag in $TAGS; do |
| 56 | cf51ea5b | Dimitris Aragiorgis | case ${tag#$ifprefix} in
|
| 57 | cf51ea5b | Dimitris Aragiorgis | protected) |
| 58 | cf51ea5b | Dimitris Aragiorgis | chain=protected |
| 59 | cf51ea5b | Dimitris Aragiorgis | ;; |
| 60 | cf51ea5b | Dimitris Aragiorgis | unprotected) |
| 61 | cf51ea5b | Dimitris Aragiorgis | chain=unprotected |
| 62 | cf51ea5b | Dimitris Aragiorgis | ;; |
| 63 | cf51ea5b | Dimitris Aragiorgis | limited) |
| 64 | cf51ea5b | Dimitris Aragiorgis | chain=limited |
| 65 | cf51ea5b | Dimitris Aragiorgis | ;; |
| 66 | cf51ea5b | Dimitris Aragiorgis | esac |
| 67 | cf51ea5b | Dimitris Aragiorgis | done |
| 68 | cf51ea5b | Dimitris Aragiorgis | |
| 69 | cf51ea5b | Dimitris Aragiorgis | # Flush any old rules. We have to consider all chains, since |
| 70 | cf51ea5b | Dimitris Aragiorgis | # we are not sure the instance was on the same chain, or had the same |
| 71 | cf51ea5b | Dimitris Aragiorgis | # tap interface. |
| 72 | cf51ea5b | Dimitris Aragiorgis | for oldchain in protected unprotected limited; do |
| 73 | cf51ea5b | Dimitris Aragiorgis | iptables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null |
| 74 | cf51ea5b | Dimitris Aragiorgis | ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null |
| 75 | cf51ea5b | Dimitris Aragiorgis | done |
| 76 | cf51ea5b | Dimitris Aragiorgis | |
| 77 | cf51ea5b | Dimitris Aragiorgis | if [ "x$chain" != "x" ]; then |
| 78 | cf51ea5b | Dimitris Aragiorgis | iptables -A FORWARD -o $INTERFACE -j $chain |
| 79 | cf51ea5b | Dimitris Aragiorgis | ip6tables -A FORWARD -o $INTERFACE -j $chain |
| 80 | cf51ea5b | Dimitris Aragiorgis | fi |
| 81 | cf51ea5b | Dimitris Aragiorgis | } |
| 82 | cf51ea5b | Dimitris Aragiorgis | |
| 83 | 7d163a24 | Dimitris Aragiorgis | function setup_nfdhcpd {
|
| 84 | cf51ea5b | Dimitris Aragiorgis | umask 022 |
| 85 | ed7f0f2a | Dimitris Aragiorgis | FILE=$NFDHCPD_STATE_DIR/$INTERFACE |
| 86 | d2b16e51 | Dimitris Aragiorgis | #IFACE is the interface from which the packet seems to arrive |
| 87 | d2b16e51 | Dimitris Aragiorgis | #needed in bridged mode where the packets seems to arrive from the |
| 88 | d2b16e51 | Dimitris Aragiorgis | #bridge and not from the tap |
| 89 | ed7f0f2a | Dimitris Aragiorgis | cat >$FILE <<EOF |
| 90 | cf51ea5b | Dimitris Aragiorgis | IFACE=$1 |
| 91 | cf51ea5b | Dimitris Aragiorgis | IP=$IP |
| 92 | cf51ea5b | Dimitris Aragiorgis | MAC=$MAC |
| 93 | cf51ea5b | Dimitris Aragiorgis | HOSTNAME=$INSTANCE |
| 94 | cf51ea5b | Dimitris Aragiorgis | TAGS="$TAGS" |
| 95 | cf51ea5b | Dimitris Aragiorgis | EOF |
| 96 | d2b16e51 | Dimitris Aragiorgis | if [ -n "$GATEWAY" ]; then |
| 97 | ed7f0f2a | Dimitris Aragiorgis | echo GATEWAY=$GATEWAY >> $FILE |
| 98 | ed7f0f2a | Dimitris Aragiorgis | fi |
| 99 | d2b16e51 | Dimitris Aragiorgis | if [ -n "$SUBNET" ]; then |
| 100 | ed7f0f2a | Dimitris Aragiorgis | echo SUBNET=$SUBNET >> $FILE |
| 101 | ed7f0f2a | Dimitris Aragiorgis | fi |
| 102 | d2b16e51 | Dimitris Aragiorgis | if [ -n "$GATEWAY6" ]; then |
| 103 | ed7f0f2a | Dimitris Aragiorgis | echo GATEWAY6=$GATEWAY6 >> $FILE |
| 104 | ed7f0f2a | Dimitris Aragiorgis | fi |
| 105 | d2b16e51 | Dimitris Aragiorgis | if [ -n "$SUBNET6" ]; then |
| 106 | ed7f0f2a | Dimitris Aragiorgis | echo SUBNET6=$SUBNET6 >> $FILE |
| 107 | ed7f0f2a | Dimitris Aragiorgis | fi |
| 108 | ed7f0f2a | Dimitris Aragiorgis | |
| 109 | cf51ea5b | Dimitris Aragiorgis | } |
| 110 | cf51ea5b | Dimitris Aragiorgis | |
| 111 | 7d163a24 | Dimitris Aragiorgis | function clear_ebtables {
|
| 112 | cf51ea5b | Dimitris Aragiorgis | TAP=$INTERFACE |
| 113 | cf51ea5b | Dimitris Aragiorgis | FROM=FROM${TAP^^}
|
| 114 | cf51ea5b | Dimitris Aragiorgis | TO=TO${TAP^^}
|
| 115 | d2b16e51 | Dimitris Aragiorgis | |
| 116 | 7d163a24 | Dimitris Aragiorgis | exist=$(ebtables -L | grep $TAP) |
| 117 | d2b16e51 | Dimitris Aragiorgis | |
| 118 | 7d163a24 | Dimitris Aragiorgis | if [ ! -z "$exist" ]; then |
| 119 | 7d163a24 | Dimitris Aragiorgis | ebtables -D INPUT -i $TAP -j $FROM |
| 120 | 7d163a24 | Dimitris Aragiorgis | ebtables -D FORWARD -i $TAP -j $FROM |
| 121 | 7d163a24 | Dimitris Aragiorgis | ebtables -D FORWARD -o $TAP -j $TO |
| 122 | 7d163a24 | Dimitris Aragiorgis | ebtables -D OUTPUT -o $TAP -j $TO |
| 123 | 7d163a24 | Dimitris Aragiorgis | |
| 124 | 7d163a24 | Dimitris Aragiorgis | ebtables -X $FROM |
| 125 | 7d163a24 | Dimitris Aragiorgis | ebtables -X $TO |
| 126 | 7d163a24 | Dimitris Aragiorgis | fi |
| 127 | f6f980d5 | Dimitris Aragiorgis | } |
| 128 | f6f980d5 | Dimitris Aragiorgis | |
| 129 | 7d163a24 | Dimitris Aragiorgis | function setup_ebtables {
|
| 130 | f6f980d5 | Dimitris Aragiorgis | TAP=$INTERFACE |
| 131 | f6f980d5 | Dimitris Aragiorgis | FROM=FROM${TAP^^}
|
| 132 | f6f980d5 | Dimitris Aragiorgis | TO=TO${TAP^^}
|
| 133 | cf51ea5b | Dimitris Aragiorgis | |
| 134 | cf51ea5b | Dimitris Aragiorgis | ebtables -N $FROM |
| 135 | 7d163a24 | Dimitris Aragiorgis | # do not allow changes in ip-mac pair |
| 136 | cf51ea5b | Dimitris Aragiorgis | ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP |
| 137 | d2b16e51 | Dimitris Aragiorgis | ebtables -A $FROM -s \! $MAC -j DROP |
| 138 | d2b16e51 | Dimitris Aragiorgis | ebtables -A FORWARD -i $TAP -j $FROM |
| 139 | cf51ea5b | Dimitris Aragiorgis | ebtables -N $TO |
| 140 | cf51ea5b | Dimitris Aragiorgis | ebtables -A FORWARD -o $TAP -j $TO |
| 141 | f6f980d5 | Dimitris Aragiorgis | #accept dhcp responses from host (nfdhcpd) |
| 142 | f6f980d5 | Dimitris Aragiorgis | ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT |
| 143 | d2b16e51 | Dimitris Aragiorgis | if [ "$TYPE" == "private" ]; then |
| 144 | d2b16e51 | Dimitris Aragiorgis | if [ ! -z "$GATEWAY" ]; then |
| 145 | 7d163a24 | Dimitris Aragiorgis | # allow packets from/to router (for masquerading |
| 146 | d2b16e51 | Dimitris Aragiorgis | ebtables -A $TO -s $ROUTER_MAC -j ACCEPT |
| 147 | d2b16e51 | Dimitris Aragiorgis | ebtables -A INPUT -i $TAP -j $FROM |
| 148 | 7d163a24 | Dimitris Aragiorgis | ebtables -A OUTPUT -o $TAP -j $TO |
| 149 | cf51ea5b | Dimitris Aragiorgis | fi |
| 150 | d2b16e51 | Dimitris Aragiorgis | # allow only packets from the same mac prefix |
| 151 | d2b16e51 | Dimitris Aragiorgis | ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP |
| 152 | cf51ea5b | Dimitris Aragiorgis | fi |
| 153 | cf51ea5b | Dimitris Aragiorgis | } |
| 154 | cf51ea5b | Dimitris Aragiorgis | |
| 155 | cf51ea5b | Dimitris Aragiorgis | |
| 156 | cf51ea5b | Dimitris Aragiorgis | |
| 157 | d2b16e51 | Dimitris Aragiorgis | DEFAULT=/etc/default/snf-network |
| 158 | d2b16e51 | Dimitris Aragiorgis | source $DEFAULT |
| 159 | d2b16e51 | Dimitris Aragiorgis | source $CONF |
| 160 | cf51ea5b | Dimitris Aragiorgis | |
| 161 | d2b16e51 | Dimitris Aragiorgis | NODEINFRAFILE=$SHAREDDIR/infra/$(hostname) |
| 162 | d2b16e51 | Dimitris Aragiorgis | |
| 163 | d2b16e51 | Dimitris Aragiorgis | if [ -e "$NODEINFRAFILE" ]; then |
| 164 | d2b16e51 | Dimitris Aragiorgis | source $NODEINFRAFILE |
| 165 | d2b16e51 | Dimitris Aragiorgis | fi |
| 166 | d2b16e51 | Dimitris Aragiorgis | |
| 167 | d2b16e51 | Dimitris Aragiorgis | |
| 168 | d2b16e51 | Dimitris Aragiorgis | NETFILE=$SHAREDDIR/networks/$NETWORK |
| 169 | d2b16e51 | Dimitris Aragiorgis | if [ -e "$NETFILE" ]; then |
| 170 | d2b16e51 | Dimitris Aragiorgis | source $NETFILE |
| 171 | d2b16e51 | Dimitris Aragiorgis | fi |
| 172 | cf51ea5b | Dimitris Aragiorgis | |
| 173 | cf51ea5b | Dimitris Aragiorgis | if [ "$MODE" = "routed" ]; then |
| 174 | d2b16e51 | Dimitris Aragiorgis | TABLE=rt_$NETWORK |
| 175 | cf51ea5b | Dimitris Aragiorgis | # special proxy-ARP/NDP routing mode |
| 176 | 7d163a24 | Dimitris Aragiorgis | clear_tap |
| 177 | cf51ea5b | Dimitris Aragiorgis | # use a constant predefined MAC address for the tap |
| 178 | cf51ea5b | Dimitris Aragiorgis | ip link set $INTERFACE addr $TAP_CONSTANT_MAC |
| 179 | cf51ea5b | Dimitris Aragiorgis | # bring the tap up |
| 180 | cf51ea5b | Dimitris Aragiorgis | ifconfig $INTERFACE 0.0.0.0 up |
| 181 | cf51ea5b | Dimitris Aragiorgis | |
| 182 | cf51ea5b | Dimitris Aragiorgis | # Drop unicast BOOTP/DHCP packets |
| 183 | cf51ea5b | Dimitris Aragiorgis | iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
| 184 | cf51ea5b | Dimitris Aragiorgis | |
| 185 | cf51ea5b | Dimitris Aragiorgis | routed_setup_ipv4 |
| 186 | ed7f0f2a | Dimitris Aragiorgis | routed_setup_ipv6 |
| 187 | ed7f0f2a | Dimitris Aragiorgis | routed_setup_firewall |
| 188 | 7d163a24 | Dimitris Aragiorgis | setup_nfdhcpd $INTERFACE |
| 189 | 7d163a24 | Dimitris Aragiorgis | clear_ebtables >/dev/null 2>&1 |
| 190 | cf51ea5b | Dimitris Aragiorgis | elif [ "$MODE" = "bridged" ]; then |
| 191 | 7d163a24 | Dimitris Aragiorgis | clear_tap |
| 192 | 7d163a24 | Dimitris Aragiorgis | clear_ebtables >/dev/null 2>&1 |
| 193 | cf51ea5b | Dimitris Aragiorgis | ifconfig $INTERFACE 0.0.0.0 up |
| 194 | cf51ea5b | Dimitris Aragiorgis | brctl addif $BRIDGE $INTERFACE |
| 195 | 7d163a24 | Dimitris Aragiorgis | setup_nfdhcpd $BRIDGE |
| 196 | 7d163a24 | Dimitris Aragiorgis | setup_ebtables |
| 197 | d2b16e51 | Dimitris Aragiorgis | fi |