Synnefo » snf-network

#!/bin/bash

# This is an example of a Ganeti kvm ifup script that configures network

# interfaces based on the initial deployment of the Okeanos project

TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-)

MAC2EUI64=/usr/bin/mac2eui64

NFDHCPD_STATE_DIR=/var/lib/nfdhcpd

function clear_tap {

 arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1

 while ip rule del dev $INTERFACE; do :; done >/dev/null 2>&1

 iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP > /dev/null 2>&1

}

function routed_setup_ipv4 {

	# mangle ARPs to come from the gw's IP

	arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s    "$GATEWAY"

	# route interface to the proper routing table

	ip rule add dev $INTERFACE table $TABLE 

	# static route mapping IP -> INTERFACE

	ip route replace $IP proto static dev $INTERFACE table $TABLE

	# Enable proxy ARP

	echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp

}

function routed_setup_ipv6 {

	# Add a routing entry for the eui-64

	prefix=$SUBNET6

	uplink=$GATEWAY6

	eui64=$($MAC2EUI64 $MAC $prefix)

	while ip -6 rule del dev $INTERFACE; do :; done > /dev/null 2>&1

	ip -6 rule add dev $INTERFACE table $TABLE

	ip -6 ro replace $eui64/128 dev $INTERFACE table $TABLE

	ip -6 neigh add proxy $eui64 dev $uplink > /dev/null 2>&1

	# disable proxy NDP since we're handling this on userspace

	# this should be the default, but better safe than sorry

	echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp

}

# pick a firewall profile per NIC, based on tags (and apply it)

function routed_setup_firewall {

	ifprefix="synnefo:network:$INTERFACE_INDEX:"

	for tag in $TAGS; do

		case ${tag#$ifprefix} in

		protected)

			chain=protected

		;;

		unprotected)

			chain=unprotected

		;;

		limited)

			chain=limited

		;;

		esac

	done

	# Flush any old rules. We have to consider all chains, since

	# we are not sure the instance was on the same chain, or had the same

	# tap interface.

	for oldchain in protected unprotected limited; do

		iptables  -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null

		ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null

	done

	if [ "x$chain" != "x" ]; then

		iptables  -A FORWARD -o $INTERFACE -j $chain

		ip6tables -A FORWARD -o $INTERFACE -j $chain

	fi

}

function setup_nfdhcpd {

	umask 022

  FILE=$NFDHCPD_STATE_DIR/$INTERFACE

  #IFACE is the interface from which the packet seems to arrive

  #needed in bridged mode where the packets seems to arrive from the

  #bridge and not from the tap

	cat >$FILE <<EOF

INDEV=$1

IP=$IP

MAC=$MAC

HOSTNAME=$INSTANCE

TAGS="$TAGS"

EOF

if [ -n "$GATEWAY" ]; then

 echo GATEWAY=$GATEWAY >> $FILE

fi

if [ -n "$SUBNET" ]; then

 echo SUBNET=$SUBNET >> $FILE

fi

if [ -n "$GATEWAY6" ]; then

 echo GATEWAY6=$GATEWAY6 >> $FILE

fi

if [ -n "$SUBNET6" ]; then

 echo SUBNET6=$SUBNET6 >> $FILE

 eui64=$($MAC2EUI64 $MAC $SUBNET6)

 echo EUI64=$eui64 >> $FILE

fi

}

function clear_ebtables {

  TAP=$INTERFACE

  FROM=FROM${TAP^^}

  TO=TO${TAP^^}

  exist=$(ebtables -L | grep $TAP)

  if [ ! -z "$exist" ]; then

    ebtables -D INPUT -i $TAP -j $FROM > /dev/null 2>&1

    ebtables -D FORWARD -i $TAP -j $FROM > /dev/null 2>&1

    ebtables -D FORWARD -o $TAP -j $TO > /dev/null 2>&1

    ebtables -D OUTPUT -o $TAP -j $TO > /dev/null 2>&1

    ebtables -X $FROM > /dev/null 2>&1

    ebtables -X $TO > /dev/null 2>&1

  fi

}

function setup_ebtables {

  TAP=$INTERFACE

  FROM=FROM${TAP^^}

  TO=TO${TAP^^}

  ebtables -N $FROM

  # do not allow changes in ip-mac pair

  ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP

  ebtables -A $FROM -s \! $MAC -j DROP

  ebtables -A FORWARD -i $TAP -j $FROM

  ebtables -N $TO

  ebtables -A FORWARD -o $TAP -j $TO

  #accept dhcp responses from host (nfdhcpd)

  ebtables -A $TO -p ipv4 --ip-protocol=udp  --ip-destination-port=68 -j ACCEPT

  if [ "$TYPE" == "private" ]; then

    if [ ! -z "$GATEWAY" -a $ENABLE_MASQ ]; then

      # allow packets from/to router (for masquerading

      ebtables -A $TO -s $ROUTER_MAC -j ACCEPT

      ebtables -A INPUT -i $TAP -j $FROM

      ebtables -A OUTPUT -o $TAP -j $TO

    fi

    # allow only packets from the same mac prefix

    ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP

  fi

}

DEFAULT=/etc/default/snf-network

source $DEFAULT

source $CONF

NODEINFRAFILE=$SHAREDDIR/infra/$(hostname)

if [ -e "$NODEINFRAFILE" ]; then

  source $NODEINFRAFILE

fi

CLUSTERINFRAFILE=$SHAREDDIR/infra/cluster

if [ -e "$CLUSTERINFRAFILE" ]; then

  source $CLUSTERINFRAFILE

fi

NETFILE=$SHAREDDIR/networks/$NETWORK

if [ -e "$NETFILE" ]; then

  source $NETFILE

fi

if [ "$MODE" = "routed" ]; then

  TABLE=rt_$NETWORK

	# special proxy-ARP/NDP routing mode

  clear_tap > /dev/null 2>&1

  clear_ebtables >/dev/null 2>&1

	# use a constant predefined MAC address for the tap

	ip link set $INTERFACE addr $TAP_CONSTANT_MAC

	# bring the tap up

	ifconfig $INTERFACE 0.0.0.0 up

	# Drop unicast BOOTP/DHCP packets

	iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP

	routed_setup_ipv4 > /dev/null 2>&1

	routed_setup_ipv6 > /dev/null 2>&1

	routed_setup_firewall

	setup_nfdhcpd $INTERFACE

elif [ "$MODE" = "bridged" ]; then

  clear_tap > /dev/null 2>&1

  clear_ebtables >/dev/null 2>&1

	ifconfig $INTERFACE 0.0.0.0 up

	brctl addif $BRIDGE $INTERFACE

	setup_nfdhcpd $BRIDGE

  setup_ebtables

fi