root / kvm-vif-bridge @ e27db5e5
History | View | Annotate | Download (4.7 kB)
| 1 | cf51ea5b | Dimitris Aragiorgis | #!/bin/bash |
|---|---|---|---|
| 2 | cf51ea5b | Dimitris Aragiorgis | |
| 3 | cf51ea5b | Dimitris Aragiorgis | # This is an example of a Ganeti kvm ifup script that configures network |
| 4 | cf51ea5b | Dimitris Aragiorgis | # interfaces based on the initial deployment of the Okeanos project |
| 5 | cf51ea5b | Dimitris Aragiorgis | |
| 6 | cf51ea5b | Dimitris Aragiorgis | TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-) |
| 7 | cf51ea5b | Dimitris Aragiorgis | MAC2EUI64=/usr/bin/mac2eui64 |
| 8 | cf51ea5b | Dimitris Aragiorgis | NFDHCPD_STATE_DIR=/var/lib/nfdhcpd |
| 9 | cf51ea5b | Dimitris Aragiorgis | |
| 10 | 2b9e52e1 | Dimitris Aragiorgis | function clear_routed_setup_ipv4 {
|
| 11 | d2b16e51 | Dimitris Aragiorgis | |
| 12 | 2b9e52e1 | Dimitris Aragiorgis | arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle |
| 13 | 2b9e52e1 | Dimitris Aragiorgis | while ip rule del dev $INTERFACE; do :; done |
| 14 | 2b9e52e1 | Dimitris Aragiorgis | iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
| 15 | d2b16e51 | Dimitris Aragiorgis | |
| 16 | 2b9e52e1 | Dimitris Aragiorgis | } |
| 17 | d2b16e51 | Dimitris Aragiorgis | |
| 18 | 2b9e52e1 | Dimitris Aragiorgis | function clear_routed_setup_ipv6 {
|
| 19 | 7d163a24 | Dimitris Aragiorgis | |
| 20 | 2b9e52e1 | Dimitris Aragiorgis | while ip -6 rule del dev $INTERFACE; do :; done |
| 21 | 7d163a24 | Dimitris Aragiorgis | |
| 22 | 7d163a24 | Dimitris Aragiorgis | } |
| 23 | 7d163a24 | Dimitris Aragiorgis | |
| 24 | 2b9e52e1 | Dimitris Aragiorgis | |
| 25 | 2b9e52e1 | Dimitris Aragiorgis | function clear_routed_setup_firewall {
|
| 26 | 2b9e52e1 | Dimitris Aragiorgis | |
| 27 | 2b9e52e1 | Dimitris Aragiorgis | for oldchain in protected unprotected limited; do |
| 28 | 2b9e52e1 | Dimitris Aragiorgis | iptables -D FORWARD -o $INTERFACE -j $oldchain |
| 29 | 2b9e52e1 | Dimitris Aragiorgis | ip6tables -D FORWARD -o $INTERFACE -j $oldchain |
| 30 | 2b9e52e1 | Dimitris Aragiorgis | done |
| 31 | 2b9e52e1 | Dimitris Aragiorgis | |
| 32 | 2b9e52e1 | Dimitris Aragiorgis | } |
| 33 | 2b9e52e1 | Dimitris Aragiorgis | |
| 34 | 2b9e52e1 | Dimitris Aragiorgis | function clear_ebtables {
|
| 35 | 2b9e52e1 | Dimitris Aragiorgis | TAP=$INTERFACE |
| 36 | 2b9e52e1 | Dimitris Aragiorgis | FROM=FROM${TAP^^}
|
| 37 | 2b9e52e1 | Dimitris Aragiorgis | TO=TO${TAP^^}
|
| 38 | 2b9e52e1 | Dimitris Aragiorgis | |
| 39 | 2b9e52e1 | Dimitris Aragiorgis | ebtables -D INPUT -i $TAP -j $FROM |
| 40 | 2b9e52e1 | Dimitris Aragiorgis | ebtables -D FORWARD -i $TAP -j $FROM |
| 41 | 2b9e52e1 | Dimitris Aragiorgis | ebtables -D FORWARD -o $TAP -j $TO |
| 42 | 2b9e52e1 | Dimitris Aragiorgis | ebtables -D OUTPUT -o $TAP -j $TO |
| 43 | 2b9e52e1 | Dimitris Aragiorgis | |
| 44 | 2b9e52e1 | Dimitris Aragiorgis | ebtables -X $FROM |
| 45 | 2b9e52e1 | Dimitris Aragiorgis | ebtables -X $TO |
| 46 | 2b9e52e1 | Dimitris Aragiorgis | } |
| 47 | 2b9e52e1 | Dimitris Aragiorgis | |
| 48 | 2b9e52e1 | Dimitris Aragiorgis | |
| 49 | 2b9e52e1 | Dimitris Aragiorgis | |
| 50 | cf51ea5b | Dimitris Aragiorgis | function routed_setup_ipv4 {
|
| 51 | cf51ea5b | Dimitris Aragiorgis | |
| 52 | cf51ea5b | Dimitris Aragiorgis | # mangle ARPs to come from the gw's IP |
| 53 | d2b16e51 | Dimitris Aragiorgis | arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$GATEWAY" |
| 54 | cf51ea5b | Dimitris Aragiorgis | |
| 55 | cf51ea5b | Dimitris Aragiorgis | # route interface to the proper routing table |
| 56 | f8e790c4 | Dimitris Aragiorgis | ip rule add dev $INTERFACE table $TABLE |
| 57 | cf51ea5b | Dimitris Aragiorgis | |
| 58 | cf51ea5b | Dimitris Aragiorgis | # static route mapping IP -> INTERFACE |
| 59 | cf51ea5b | Dimitris Aragiorgis | ip route replace $IP proto static dev $INTERFACE table $TABLE |
| 60 | cf51ea5b | Dimitris Aragiorgis | |
| 61 | cf51ea5b | Dimitris Aragiorgis | # Enable proxy ARP |
| 62 | cf51ea5b | Dimitris Aragiorgis | echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp |
| 63 | cf51ea5b | Dimitris Aragiorgis | } |
| 64 | cf51ea5b | Dimitris Aragiorgis | |
| 65 | cf51ea5b | Dimitris Aragiorgis | function routed_setup_ipv6 {
|
| 66 | cf51ea5b | Dimitris Aragiorgis | # Add a routing entry for the eui-64 |
| 67 | ed7f0f2a | Dimitris Aragiorgis | prefix=$SUBNET6 |
| 68 | e27db5e5 | Dimitris Aragiorgis | uplink=$PUBLIC_VLAN |
| 69 | cf51ea5b | Dimitris Aragiorgis | eui64=$($MAC2EUI64 $MAC $prefix) |
| 70 | cf51ea5b | Dimitris Aragiorgis | |
| 71 | f8e790c4 | Dimitris Aragiorgis | |
| 72 | cf51ea5b | Dimitris Aragiorgis | ip -6 rule add dev $INTERFACE table $TABLE |
| 73 | cf51ea5b | Dimitris Aragiorgis | ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE |
| 74 | 2b9e52e1 | Dimitris Aragiorgis | ip -6 neigh add proxy $eui64 dev $uplink |
| 75 | cf51ea5b | Dimitris Aragiorgis | |
| 76 | cf51ea5b | Dimitris Aragiorgis | # disable proxy NDP since we're handling this on userspace |
| 77 | cf51ea5b | Dimitris Aragiorgis | # this should be the default, but better safe than sorry |
| 78 | cf51ea5b | Dimitris Aragiorgis | echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp |
| 79 | cf51ea5b | Dimitris Aragiorgis | } |
| 80 | cf51ea5b | Dimitris Aragiorgis | |
| 81 | cf51ea5b | Dimitris Aragiorgis | # pick a firewall profile per NIC, based on tags (and apply it) |
| 82 | cf51ea5b | Dimitris Aragiorgis | function routed_setup_firewall {
|
| 83 | cf51ea5b | Dimitris Aragiorgis | ifprefix="synnefo:network:$INTERFACE_INDEX:" |
| 84 | cf51ea5b | Dimitris Aragiorgis | for tag in $TAGS; do |
| 85 | cf51ea5b | Dimitris Aragiorgis | case ${tag#$ifprefix} in
|
| 86 | cf51ea5b | Dimitris Aragiorgis | protected) |
| 87 | cf51ea5b | Dimitris Aragiorgis | chain=protected |
| 88 | cf51ea5b | Dimitris Aragiorgis | ;; |
| 89 | cf51ea5b | Dimitris Aragiorgis | unprotected) |
| 90 | cf51ea5b | Dimitris Aragiorgis | chain=unprotected |
| 91 | cf51ea5b | Dimitris Aragiorgis | ;; |
| 92 | cf51ea5b | Dimitris Aragiorgis | limited) |
| 93 | cf51ea5b | Dimitris Aragiorgis | chain=limited |
| 94 | cf51ea5b | Dimitris Aragiorgis | ;; |
| 95 | cf51ea5b | Dimitris Aragiorgis | esac |
| 96 | cf51ea5b | Dimitris Aragiorgis | done |
| 97 | cf51ea5b | Dimitris Aragiorgis | |
| 98 | cf51ea5b | Dimitris Aragiorgis | if [ "x$chain" != "x" ]; then |
| 99 | cf51ea5b | Dimitris Aragiorgis | iptables -A FORWARD -o $INTERFACE -j $chain |
| 100 | cf51ea5b | Dimitris Aragiorgis | ip6tables -A FORWARD -o $INTERFACE -j $chain |
| 101 | cf51ea5b | Dimitris Aragiorgis | fi |
| 102 | cf51ea5b | Dimitris Aragiorgis | } |
| 103 | cf51ea5b | Dimitris Aragiorgis | |
| 104 | 7d163a24 | Dimitris Aragiorgis | function setup_ebtables {
|
| 105 | f6f980d5 | Dimitris Aragiorgis | TAP=$INTERFACE |
| 106 | f6f980d5 | Dimitris Aragiorgis | FROM=FROM${TAP^^}
|
| 107 | f6f980d5 | Dimitris Aragiorgis | TO=TO${TAP^^}
|
| 108 | cf51ea5b | Dimitris Aragiorgis | |
| 109 | cf51ea5b | Dimitris Aragiorgis | ebtables -N $FROM |
| 110 | 7d163a24 | Dimitris Aragiorgis | # do not allow changes in ip-mac pair |
| 111 | 2b9e52e1 | Dimitris Aragiorgis | if [ -n "$IP"]; then |
| 112 | 2b9e52e1 | Dimitris Aragiorgis | ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP |
| 113 | 2b9e52e1 | Dimitris Aragiorgis | fi |
| 114 | d2b16e51 | Dimitris Aragiorgis | ebtables -A $FROM -s \! $MAC -j DROP |
| 115 | d2b16e51 | Dimitris Aragiorgis | ebtables -A FORWARD -i $TAP -j $FROM |
| 116 | cf51ea5b | Dimitris Aragiorgis | ebtables -N $TO |
| 117 | cf51ea5b | Dimitris Aragiorgis | ebtables -A FORWARD -o $TAP -j $TO |
| 118 | f6f980d5 | Dimitris Aragiorgis | #accept dhcp responses from host (nfdhcpd) |
| 119 | f6f980d5 | Dimitris Aragiorgis | ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT |
| 120 | d2b16e51 | Dimitris Aragiorgis | if [ "$TYPE" == "private" ]; then |
| 121 | 6e257ba8 | Dimitris Aragiorgis | if [ ! -z "$GATEWAY" -a $ENABLE_MASQ ]; then |
| 122 | 7d163a24 | Dimitris Aragiorgis | # allow packets from/to router (for masquerading |
| 123 | d2b16e51 | Dimitris Aragiorgis | ebtables -A $TO -s $ROUTER_MAC -j ACCEPT |
| 124 | d2b16e51 | Dimitris Aragiorgis | ebtables -A INPUT -i $TAP -j $FROM |
| 125 | 7d163a24 | Dimitris Aragiorgis | ebtables -A OUTPUT -o $TAP -j $TO |
| 126 | cf51ea5b | Dimitris Aragiorgis | fi |
| 127 | d2b16e51 | Dimitris Aragiorgis | # allow only packets from the same mac prefix |
| 128 | d2b16e51 | Dimitris Aragiorgis | ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP |
| 129 | cf51ea5b | Dimitris Aragiorgis | fi |
| 130 | cf51ea5b | Dimitris Aragiorgis | } |
| 131 | cf51ea5b | Dimitris Aragiorgis | |
| 132 | cf51ea5b | Dimitris Aragiorgis | |
| 133 | 2b9e52e1 | Dimitris Aragiorgis | function setup_nfdhcpd {
|
| 134 | 2b9e52e1 | Dimitris Aragiorgis | umask 022 |
| 135 | 2b9e52e1 | Dimitris Aragiorgis | FILE=$NFDHCPD_STATE_DIR/$INTERFACE |
| 136 | 2b9e52e1 | Dimitris Aragiorgis | #IFACE is the interface from which the packet seems to arrive |
| 137 | 2b9e52e1 | Dimitris Aragiorgis | #needed in bridged mode where the packets seems to arrive from the |
| 138 | 2b9e52e1 | Dimitris Aragiorgis | #bridge and not from the tap |
| 139 | 2b9e52e1 | Dimitris Aragiorgis | cat >$FILE <<EOF |
| 140 | 2b9e52e1 | Dimitris Aragiorgis | INDEV=$1 |
| 141 | 2b9e52e1 | Dimitris Aragiorgis | IP=$IP |
| 142 | 2b9e52e1 | Dimitris Aragiorgis | MAC=$MAC |
| 143 | 2b9e52e1 | Dimitris Aragiorgis | HOSTNAME=$INSTANCE |
| 144 | 2b9e52e1 | Dimitris Aragiorgis | TAGS="$TAGS" |
| 145 | 2b9e52e1 | Dimitris Aragiorgis | GATEWAY=$GATEWAY |
| 146 | 2b9e52e1 | Dimitris Aragiorgis | SUBNET=$SUBNET |
| 147 | 2b9e52e1 | Dimitris Aragiorgis | GATEWAY6=$GATEWAY6 |
| 148 | 2b9e52e1 | Dimitris Aragiorgis | SUBNET6=$SUBNET6 |
| 149 | 2b9e52e1 | Dimitris Aragiorgis | EUI64=$($MAC2EUI64 $MAC $SUBNET6 2>/dev/null) |
| 150 | 2b9e52e1 | Dimitris Aragiorgis | EOF |
| 151 | 2b9e52e1 | Dimitris Aragiorgis | |
| 152 | 2b9e52e1 | Dimitris Aragiorgis | } |
| 153 | 2b9e52e1 | Dimitris Aragiorgis | |
| 154 | cf51ea5b | Dimitris Aragiorgis | |
| 155 | d2b16e51 | Dimitris Aragiorgis | DEFAULT=/etc/default/snf-network |
| 156 | d2b16e51 | Dimitris Aragiorgis | source $DEFAULT |
| 157 | d2b16e51 | Dimitris Aragiorgis | source $CONF |
| 158 | cf51ea5b | Dimitris Aragiorgis | |
| 159 | d2b16e51 | Dimitris Aragiorgis | NODEINFRAFILE=$SHAREDDIR/infra/$(hostname) |
| 160 | d2b16e51 | Dimitris Aragiorgis | |
| 161 | d2b16e51 | Dimitris Aragiorgis | if [ -e "$NODEINFRAFILE" ]; then |
| 162 | d2b16e51 | Dimitris Aragiorgis | source $NODEINFRAFILE |
| 163 | d2b16e51 | Dimitris Aragiorgis | fi |
| 164 | d2b16e51 | Dimitris Aragiorgis | |
| 165 | 6e257ba8 | Dimitris Aragiorgis | CLUSTERINFRAFILE=$SHAREDDIR/infra/cluster |
| 166 | 6e257ba8 | Dimitris Aragiorgis | |
| 167 | 6e257ba8 | Dimitris Aragiorgis | if [ -e "$CLUSTERINFRAFILE" ]; then |
| 168 | 6e257ba8 | Dimitris Aragiorgis | source $CLUSTERINFRAFILE |
| 169 | 6e257ba8 | Dimitris Aragiorgis | fi |
| 170 | d2b16e51 | Dimitris Aragiorgis | |
| 171 | d2b16e51 | Dimitris Aragiorgis | NETFILE=$SHAREDDIR/networks/$NETWORK |
| 172 | 6e257ba8 | Dimitris Aragiorgis | |
| 173 | d2b16e51 | Dimitris Aragiorgis | if [ -e "$NETFILE" ]; then |
| 174 | d2b16e51 | Dimitris Aragiorgis | source $NETFILE |
| 175 | d2b16e51 | Dimitris Aragiorgis | fi |
| 176 | cf51ea5b | Dimitris Aragiorgis | |
| 177 | 2b9e52e1 | Dimitris Aragiorgis | |
| 178 | 2b9e52e1 | Dimitris Aragiorgis | TABLE=rt_$NETWORK |
| 179 | 2b9e52e1 | Dimitris Aragiorgis | clear_routed_setup_ipv4 > /dev/null 2>&1 |
| 180 | 2b9e52e1 | Dimitris Aragiorgis | clear_routed_setup_ipv6 > /dev/null 2>&1 |
| 181 | 2b9e52e1 | Dimitris Aragiorgis | clear_routed_setup_firewall > /dev/null 2>&1 |
| 182 | 2b9e52e1 | Dimitris Aragiorgis | clear_ebtables > /dev/null 2>&1 |
| 183 | 2b9e52e1 | Dimitris Aragiorgis | |
| 184 | cf51ea5b | Dimitris Aragiorgis | if [ "$MODE" = "routed" ]; then |
| 185 | cf51ea5b | Dimitris Aragiorgis | # use a constant predefined MAC address for the tap |
| 186 | cf51ea5b | Dimitris Aragiorgis | ip link set $INTERFACE addr $TAP_CONSTANT_MAC |
| 187 | cf51ea5b | Dimitris Aragiorgis | # bring the tap up |
| 188 | cf51ea5b | Dimitris Aragiorgis | ifconfig $INTERFACE 0.0.0.0 up |
| 189 | cf51ea5b | Dimitris Aragiorgis | |
| 190 | cf51ea5b | Dimitris Aragiorgis | # Drop unicast BOOTP/DHCP packets |
| 191 | cf51ea5b | Dimitris Aragiorgis | iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
| 192 | cf51ea5b | Dimitris Aragiorgis | |
| 193 | f8e790c4 | Dimitris Aragiorgis | routed_setup_ipv4 > /dev/null 2>&1 |
| 194 | f8e790c4 | Dimitris Aragiorgis | routed_setup_ipv6 > /dev/null 2>&1 |
| 195 | 2b9e52e1 | Dimitris Aragiorgis | routed_setup_firewall > /dev/null 2>&1 |
| 196 | 7d163a24 | Dimitris Aragiorgis | setup_nfdhcpd $INTERFACE |
| 197 | cf51ea5b | Dimitris Aragiorgis | elif [ "$MODE" = "bridged" ]; then |
| 198 | cf51ea5b | Dimitris Aragiorgis | ifconfig $INTERFACE 0.0.0.0 up |
| 199 | cf51ea5b | Dimitris Aragiorgis | brctl addif $BRIDGE $INTERFACE |
| 200 | 7d163a24 | Dimitris Aragiorgis | setup_nfdhcpd $BRIDGE |
| 201 | 2b9e52e1 | Dimitris Aragiorgis | setup_ebtables > /dev/null 2>&1 |
| 202 | d2b16e51 | Dimitris Aragiorgis | fi |