root / snf-cyclades-gtools / kvm-vif-bridge @ 6c1c0738
History | View | Annotate | Download (3.1 kB)
1 | f533f224 | Vangelis Koukis | #!/bin/bash |
---|---|---|---|
2 | f533f224 | Vangelis Koukis | |
3 | f533f224 | Vangelis Koukis | # This is an example of a Ganeti kvm ifup script that configures network |
4 | f533f224 | Vangelis Koukis | # interfaces based on the initial deployment of the Okeanos project |
5 | f533f224 | Vangelis Koukis | |
6 | f533f224 | Vangelis Koukis | TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-) |
7 | 536721a9 | Faidon Liambotis | MAC2EUI64=/usr/bin/mac2eui64 |
8 | 84bee898 | Vangelis Koukis | NFDHCPD_STATE_DIR=/var/lib/nfdhcpd |
9 | f533f224 | Vangelis Koukis | |
10 | f533f224 | Vangelis Koukis | function routed_setup_ipv4 { |
11 | f533f224 | Vangelis Koukis | # get the link's default gateway |
12 | f533f224 | Vangelis Koukis | gw=$(ip route list table $LINK | sed -n 's/default via \([^ ]\+\).*/\1/p' | head -1) |
13 | f533f224 | Vangelis Koukis | |
14 | f533f224 | Vangelis Koukis | # mangle ARPs to come from the gw's IP |
15 | f533f224 | Vangelis Koukis | arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1 |
16 | f533f224 | Vangelis Koukis | arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$gw" |
17 | f533f224 | Vangelis Koukis | |
18 | f533f224 | Vangelis Koukis | # route interface to the proper routing table |
19 | f533f224 | Vangelis Koukis | while ip rule del dev $INTERFACE; do :; done |
20 | f533f224 | Vangelis Koukis | ip rule add dev $INTERFACE table $LINK |
21 | f533f224 | Vangelis Koukis | |
22 | f533f224 | Vangelis Koukis | # static route mapping IP -> INTERFACE |
23 | f533f224 | Vangelis Koukis | ip route replace $IP table $LINK proto static dev $INTERFACE |
24 | f533f224 | Vangelis Koukis | |
25 | f533f224 | Vangelis Koukis | # Enable proxy ARP |
26 | f533f224 | Vangelis Koukis | echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp |
27 | f533f224 | Vangelis Koukis | } |
28 | f533f224 | Vangelis Koukis | |
29 | f533f224 | Vangelis Koukis | function routed_setup_ipv6 { |
30 | f533f224 | Vangelis Koukis | # Add a routing entry for the eui-64 |
31 | f533f224 | Vangelis Koukis | prefix=$(ip -6 route list table $LINK | awk '/\/64/ {print $1; exit}') |
32 | f533f224 | Vangelis Koukis | uplink=$(ip -6 route list table $LINK | sed -n 's/default via .* dev \([^ ]\+\).*/\1/p' | head -1) |
33 | f533f224 | Vangelis Koukis | eui64=$($MAC2EUI64 $MAC $prefix) |
34 | f533f224 | Vangelis Koukis | |
35 | f533f224 | Vangelis Koukis | while ip -6 rule del dev $INTERFACE; do :; done |
36 | f533f224 | Vangelis Koukis | ip -6 rule add dev $INTERFACE table $LINK |
37 | f533f224 | Vangelis Koukis | ip -6 ro replace $eui64/128 dev $INTERFACE table $LINK |
38 | f533f224 | Vangelis Koukis | ip -6 neigh add proxy $eui64 dev $uplink |
39 | f533f224 | Vangelis Koukis | |
40 | f533f224 | Vangelis Koukis | # disable proxy NDP since we're handling this on userspace |
41 | f533f224 | Vangelis Koukis | # this should be the default, but better safe than sorry |
42 | f533f224 | Vangelis Koukis | echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp |
43 | f533f224 | Vangelis Koukis | } |
44 | f533f224 | Vangelis Koukis | |
45 | f533f224 | Vangelis Koukis | # pick a firewall profile per NIC, based on tags (and apply it) |
46 | f533f224 | Vangelis Koukis | function routed_setup_firewall { |
47 | f533f224 | Vangelis Koukis | ifprefix="synnefo:network:$INTERFACE_INDEX:" |
48 | f533f224 | Vangelis Koukis | for tag in $TAGS; do |
49 | f533f224 | Vangelis Koukis | case ${tag#$ifprefix} in |
50 | cbaac7bc | Vangelis Koukis | protected) |
51 | cbaac7bc | Vangelis Koukis | chain=protected |
52 | f533f224 | Vangelis Koukis | ;; |
53 | cbaac7bc | Vangelis Koukis | unprotected) |
54 | cbaac7bc | Vangelis Koukis | chain=unprotected |
55 | cbaac7bc | Vangelis Koukis | ;; |
56 | cbaac7bc | Vangelis Koukis | limited) |
57 | cbaac7bc | Vangelis Koukis | chain=limited |
58 | f533f224 | Vangelis Koukis | ;; |
59 | f533f224 | Vangelis Koukis | esac |
60 | f533f224 | Vangelis Koukis | done |
61 | f533f224 | Vangelis Koukis | |
62 | 78b81e14 | Apollon Oikonomopoulos | # Flush any old rules. We have to consider all chains, since |
63 | 78b81e14 | Apollon Oikonomopoulos | # we are not sure the instance was on the same chain, or had the same |
64 | 78b81e14 | Apollon Oikonomopoulos | # tap interface. |
65 | 78b81e14 | Apollon Oikonomopoulos | for oldchain in protected unprotected limited; do |
66 | 78b81e14 | Apollon Oikonomopoulos | iptables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null |
67 | 78b81e14 | Apollon Oikonomopoulos | ip6tables -D FORWARD -o $INTERFACE -j $oldchain 2>/dev/null |
68 | 78b81e14 | Apollon Oikonomopoulos | done |
69 | 78b81e14 | Apollon Oikonomopoulos | |
70 | f533f224 | Vangelis Koukis | if [ "x$chain" != "x" ]; then |
71 | f533f224 | Vangelis Koukis | iptables -A FORWARD -o $INTERFACE -j $chain |
72 | f533f224 | Vangelis Koukis | ip6tables -A FORWARD -o $INTERFACE -j $chain |
73 | f533f224 | Vangelis Koukis | fi |
74 | f533f224 | Vangelis Koukis | } |
75 | f533f224 | Vangelis Koukis | |
76 | f533f224 | Vangelis Koukis | function routed_setup_nfdhcpd { |
77 | f533f224 | Vangelis Koukis | umask 022 |
78 | 84bee898 | Vangelis Koukis | cat >$NFDHCPD_STATE_DIR/$INTERFACE <<EOF |
79 | f533f224 | Vangelis Koukis | IP=$IP |
80 | f533f224 | Vangelis Koukis | MAC=$MAC |
81 | f533f224 | Vangelis Koukis | LINK=$LINK |
82 | f533f224 | Vangelis Koukis | HOSTNAME=$INSTANCE |
83 | f533f224 | Vangelis Koukis | TAGS="$TAGS" |
84 | f533f224 | Vangelis Koukis | EOF |
85 | f533f224 | Vangelis Koukis | } |
86 | f533f224 | Vangelis Koukis | |
87 | f533f224 | Vangelis Koukis | if [ "$MODE" = "routed" ]; then |
88 | f533f224 | Vangelis Koukis | # special proxy-ARP/NDP routing mode |
89 | f533f224 | Vangelis Koukis | |
90 | f533f224 | Vangelis Koukis | # use a constant predefined MAC address for the tap |
91 | f533f224 | Vangelis Koukis | ip link set $INTERFACE addr $TAP_CONSTANT_MAC |
92 | f533f224 | Vangelis Koukis | # bring the tap up |
93 | f533f224 | Vangelis Koukis | ifconfig $INTERFACE 0.0.0.0 up |
94 | f533f224 | Vangelis Koukis | |
95 | f533f224 | Vangelis Koukis | # Drop unicast BOOTP/DHCP packets |
96 | f533f224 | Vangelis Koukis | iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null |
97 | f533f224 | Vangelis Koukis | iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP |
98 | f533f224 | Vangelis Koukis | |
99 | f533f224 | Vangelis Koukis | routed_setup_ipv4 |
100 | f533f224 | Vangelis Koukis | routed_setup_ipv6 |
101 | f533f224 | Vangelis Koukis | routed_setup_firewall |
102 | f533f224 | Vangelis Koukis | routed_setup_nfdhcpd |
103 | f533f224 | Vangelis Koukis | elif [ "$MODE" = "bridged" ]; then |
104 | f533f224 | Vangelis Koukis | ifconfig $INTERFACE 0.0.0.0 up |
105 | f533f224 | Vangelis Koukis | brctl addif $BRIDGE $INTERFACE |
106 | 84bee898 | Vangelis Koukis | rm -f $NFDHCPD_STATE_DIR/$INTERFACE |
107 | f533f224 | Vangelis Koukis | fi |