Statistics
| Branch: | Tag: | Revision:

root / contrib / ganeti-hooks / kvm-vif-bridge @ f533f224

History | View | Annotate | Download (2.8 kB)

1
#!/bin/bash
2

    
3
# This is an example of a Ganeti kvm ifup script that configures network
4
# interfaces based on the initial deployment of the Okeanos project
5

    
6
TAP_CONSTANT_MAC=cc:47:52:4e:45:54 # GRNET in hex :-)
7
MAC2EUI64=/etc/ganeti/mac2eui64.py
8

    
9
function routed_setup_ipv4 {
10
	# get the link's default gateway
11
	gw=$(ip route list table $LINK | sed -n 's/default via \([^ ]\+\).*/\1/p' | head -1)
12

    
13
	# mangle ARPs to come from the gw's IP
14
	arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle >/dev/null 2>&1
15
	arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$gw"
16

    
17
	# route interface to the proper routing table
18
	while ip rule del dev $INTERFACE; do :; done
19
	ip rule add dev $INTERFACE table $LINK
20

    
21
	# static route mapping IP -> INTERFACE
22
	ip route replace $IP table $LINK proto static dev $INTERFACE
23

    
24
	# Enable proxy ARP
25
	echo 1 > /proc/sys/net/ipv4/conf/$INTERFACE/proxy_arp
26
}
27

    
28
function routed_setup_ipv6 {
29
	# Add a routing entry for the eui-64
30
	prefix=$(ip -6 route list table $LINK | awk '/\/64/ {print $1; exit}')
31
	uplink=$(ip -6 route list table $LINK | sed -n 's/default via .* dev \([^ ]\+\).*/\1/p' | head -1)
32
	eui64=$($MAC2EUI64 $MAC $prefix)
33

    
34
	while ip -6 rule del dev $INTERFACE; do :; done
35
	ip -6 rule add dev $INTERFACE table $LINK
36
	ip -6 ro replace $eui64/128 dev $INTERFACE table $LINK
37
	ip -6 neigh add proxy $eui64 dev $uplink
38

    
39
	# disable proxy NDP since we're handling this on userspace
40
	# this should be the default, but better safe than sorry
41
	echo 0 > /proc/sys/net/ipv6/conf/$INTERFACE/proxy_ndp
42
}
43

    
44
# pick a firewall profile per NIC, based on tags (and apply it)
45
function routed_setup_firewall {
46
	ifprefix="synnefo:network:$INTERFACE_INDEX:"
47
	for tag in $TAGS; do
48
		case ${tag#$ifprefix} in
49
		protected:1)
50
			chain=PROTECTED-1
51
		;;
52
		protected:2)
53
			chain=PROTECTED-2
54
		;;
55
		esac
56
	done
57

    
58
	iptables  -D FORWARD -o $INTERFACE -j $chain 2>/dev/null
59
	ip6tables -D FORWARD -o $INTERFACE -j $chain 2>/dev/null
60
	if [ "x$chain" != "x" ]; then
61
		iptables  -A FORWARD -o $INTERFACE -j $chain
62
		ip6tables -A FORWARD -o $INTERFACE -j $chain
63
	fi
64
}
65

    
66
function routed_setup_nfdhcpd {
67
	umask 022
68
	cat >/var/run/ganeti-dhcpd/$INTERFACE <<EOF
69
IP=$IP
70
MAC=$MAC
71
LINK=$LINK
72
HOSTNAME=$INSTANCE
73
TAGS="$TAGS"
74
EOF
75
}
76

    
77
if [ "$MODE" = "routed" ]; then
78
	# special proxy-ARP/NDP routing mode
79

    
80
	# use a constant predefined MAC address for the tap
81
	ip link set $INTERFACE addr $TAP_CONSTANT_MAC
82
	# bring the tap up
83
	ifconfig $INTERFACE 0.0.0.0 up
84

    
85
	# Drop unicast BOOTP/DHCP packets
86
	iptables -D FORWARD -i $INTERFACE -p udp --dport 67 -j DROP 2>/dev/null
87
	iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP
88

    
89
	routed_setup_ipv4
90
	routed_setup_ipv6
91
	routed_setup_firewall
92
	routed_setup_nfdhcpd
93
elif [ "$MODE" = "bridged" ]; then
94
	ifconfig $INTERFACE 0.0.0.0 up
95
	brctl addif $BRIDGE $INTERFACE
96
	rm -f /var/run/ganeti-dhcpd/$INTERFACE
97
fi