Statistics
| Branch: | Tag: | Revision:

root / snf-cyclades-gtools / kvm-vif-bridge @ 2ddd05de

History | View | Annotate | Download (3.1 kB)

1 f533f224 Vangelis Koukis
#!/bin/bash
2 f533f224 Vangelis Koukis
3 f533f224 Vangelis Koukis
# This is an example of a Ganeti kvm ifup script that configures network
4 f533f224 Vangelis Koukis
# interfaces based on the initial deployment of the Okeanos project
5 f533f224 Vangelis Koukis
6 f533f224 Vangelis Koukis
TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-)
7 536721a9 Faidon Liambotis
MAC2EUI64=/usr/bin/mac2eui64
8 84bee898 Vangelis Koukis
NFDHCPD_STATE_DIR=/var/lib/nfdhcpd
9 f533f224 Vangelis Koukis
10 f533f224 Vangelis Koukis
function routed_setup_ipv4 {
11 f533f224 Vangelis Koukis
	# get the link's default gateway
12 f533f224 Vangelis Koukis
	gw=$(ip route list table $LINK | sed -n 's/default via \([^ ]\+\).*/\1/p' | head -1)
13 f533f224 Vangelis Koukis
14 f533f224 Vangelis Koukis
	# mangle ARPs to come from the gw's IP
15 f533f224 Vangelis Koukis
	arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
16 f533f224 Vangelis Koukis
	arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$gw"
17 f533f224 Vangelis Koukis
18 f533f224 Vangelis Koukis
	# route interface to the proper routing table
19 f533f224 Vangelis Koukis
	while ip rule del dev $INTERFACE; do :; done
20 f533f224 Vangelis Koukis
	ip rule add dev $INTERFACE table $LINK
21 f533f224 Vangelis Koukis
22 f533f224 Vangelis Koukis
	# static route mapping IP -> INTERFACE
23 f533f224 Vangelis Koukis
	ip route replace $IP table $LINK proto static dev $INTERFACE
24 f533f224 Vangelis Koukis
25 f533f224 Vangelis Koukis
	# Enable proxy ARP
26 f533f224 Vangelis Koukis
	echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
27 f533f224 Vangelis Koukis
}
28 f533f224 Vangelis Koukis
29 f533f224 Vangelis Koukis
function routed_setup_ipv6 {
30 f533f224 Vangelis Koukis
	# Add a routing entry for the eui-64
31 f533f224 Vangelis Koukis
	prefix=$(ip -6 route list table $LINK | awk '/\/64/ {print $1; exit}')
32 f533f224 Vangelis Koukis
	uplink=$(ip -6 route list table $LINK | sed -n 's/default via .* dev \([^ ]\+\).*/\1/p' | head -1)
33 f533f224 Vangelis Koukis
	eui64=$($MAC2EUI64 $MAC $prefix)
34 f533f224 Vangelis Koukis
35 f533f224 Vangelis Koukis
	while ip -6 rule del dev $INTERFACE; do :; done
36 f533f224 Vangelis Koukis
	ip -6 rule add dev $INTERFACE table $LINK
37 f533f224 Vangelis Koukis
	ip -6 ro replace $eui64/128 dev $INTERFACE table $LINK
38 f533f224 Vangelis Koukis
	ip -6 neigh add proxy $eui64 dev $uplink
39 f533f224 Vangelis Koukis
40 f533f224 Vangelis Koukis
	# disable proxy NDP since we're handling this on userspace
41 f533f224 Vangelis Koukis
	# this should be the default, but better safe than sorry
42 f533f224 Vangelis Koukis
	echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
43 f533f224 Vangelis Koukis
}
44 f533f224 Vangelis Koukis
45 f533f224 Vangelis Koukis
# pick a firewall profile per NIC, based on tags (and apply it)
46 f533f224 Vangelis Koukis
function routed_setup_firewall {
47 f533f224 Vangelis Koukis
	ifprefix="synnefo:network:$INTERFACE_INDEX:"
48 f533f224 Vangelis Koukis
	for tag in $TAGS; do
49 f533f224 Vangelis Koukis
		case ${tag#$ifprefix} in
50 cbaac7bc Vangelis Koukis
		protected)
51 cbaac7bc Vangelis Koukis
			chain=protected
52 f533f224 Vangelis Koukis
		;;
53 cbaac7bc Vangelis Koukis
		unprotected)
54 cbaac7bc Vangelis Koukis
			chain=unprotected
55 cbaac7bc Vangelis Koukis
		;;
56 cbaac7bc Vangelis Koukis
		limited)
57 cbaac7bc Vangelis Koukis
			chain=limited
58 f533f224 Vangelis Koukis
		;;
59 f533f224 Vangelis Koukis
		esac
60 f533f224 Vangelis Koukis
	done
61 f533f224 Vangelis Koukis
62 78b81e14 Apollon Oikonomopoulos
	# Flush any old rules. We have to consider all chains, since
63 78b81e14 Apollon Oikonomopoulos
	# we are not sure the instance was on the same chain, or had the same
64 78b81e14 Apollon Oikonomopoulos
	# tap interface.
65 78b81e14 Apollon Oikonomopoulos
	for oldchain in protected unprotected limited; do
66 78b81e14 Apollon Oikonomopoulos
		iptables  -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
67 78b81e14 Apollon Oikonomopoulos
		ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null
68 78b81e14 Apollon Oikonomopoulos
	done
69 78b81e14 Apollon Oikonomopoulos
70 f533f224 Vangelis Koukis
	if [ "x$chain" != "x" ]; then
71 f533f224 Vangelis Koukis
		iptables  -A FORWARD -o $INTERFACE -j $chain
72 f533f224 Vangelis Koukis
		ip6tables -A FORWARD -o $INTERFACE -j $chain
73 f533f224 Vangelis Koukis
	fi
74 f533f224 Vangelis Koukis
}
75 f533f224 Vangelis Koukis
76 f533f224 Vangelis Koukis
function routed_setup_nfdhcpd {
77 f533f224 Vangelis Koukis
	umask 022
78 84bee898 Vangelis Koukis
	cat >$NFDHCPD_STATE_DIR/$INTERFACE <<EOF
79 f533f224 Vangelis Koukis
IP=$IP
80 f533f224 Vangelis Koukis
MAC=$MAC
81 f533f224 Vangelis Koukis
LINK=$LINK
82 f533f224 Vangelis Koukis
HOSTNAME=$INSTANCE
83 f533f224 Vangelis Koukis
TAGS="$TAGS"
84 f533f224 Vangelis Koukis
EOF
85 f533f224 Vangelis Koukis
}
86 f533f224 Vangelis Koukis
87 f533f224 Vangelis Koukis
if [ "$MODE" = "routed" ]; then
88 f533f224 Vangelis Koukis
	# special proxy-ARP/NDP routing mode
89 f533f224 Vangelis Koukis
90 f533f224 Vangelis Koukis
	# use a constant predefined MAC address for the tap
91 f533f224 Vangelis Koukis
	ip link set $INTERFACE addr $TAP_CONSTANT_MAC
92 f533f224 Vangelis Koukis
	# bring the tap up
93 f533f224 Vangelis Koukis
	ifconfig $INTERFACE 0.0.0.0 up
94 f533f224 Vangelis Koukis
95 f533f224 Vangelis Koukis
	# Drop unicast BOOTP/DHCP packets
96 f533f224 Vangelis Koukis
	iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
97 f533f224 Vangelis Koukis
	iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
98 f533f224 Vangelis Koukis
99 f533f224 Vangelis Koukis
	routed_setup_ipv4
100 f533f224 Vangelis Koukis
	routed_setup_ipv6
101 f533f224 Vangelis Koukis
	routed_setup_firewall
102 f533f224 Vangelis Koukis
	routed_setup_nfdhcpd
103 f533f224 Vangelis Koukis
elif [ "$MODE" = "bridged" ]; then
104 f533f224 Vangelis Koukis
	ifconfig $INTERFACE 0.0.0.0 up
105 f533f224 Vangelis Koukis
	brctl addif $BRIDGE $INTERFACE
106 84bee898 Vangelis Koukis
	rm -f $NFDHCPD_STATE_DIR/$INTERFACE
107 f533f224 Vangelis Koukis
fi