Commit a3ae428d authored by Leigh B Stoller's avatar Leigh B Stoller
Browse files

Set up NAT for packets heading off the control network.

parent bea88a10
#!/usr/bin/perl -w
#
# Copyright (c) 2000-2012 University of Utah and the Flux Group.
# Copyright (c) 2000-2013 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -26,6 +26,7 @@ use Getopt::Std;
use English;
use Data::Dumper;
use POSIX qw(setsid);
use Socket;
#
# Invoked by xmcreate script to configure the control network for a vnode.
......@@ -91,6 +92,17 @@ my $fs_ip = `host fs | grep 'has address'`;
if ($fs_ip =~ /has address ([0-9\.]*)$/) {
$fs_ip = $1;
}
my $PCNET_IP_FILE = "$BOOTDIR/myip";
my $PCNET_MASK_FILE = "$BOOTDIR/mynetmask";
my $PCNET_GW_FILE = "$BOOTDIR/routerip";
my $cnet_ip = `cat $PCNET_IP_FILE`;
my $cnet_mask = `cat $PCNET_MASK_FILE`;
my $cnet_gw = `cat $PCNET_GW_FILE`;
chomp($cnet_ip);
chomp($cnet_mask);
chomp($cnet_gw);
my $network = inet_ntoa(inet_aton($cnet_ip) & inet_aton($cnet_mask));
# Each container gets a tmcc proxy running on another port.
my $local_tmcd_port = $TMCD_PORT + $vmid;
......@@ -185,6 +197,25 @@ sub Online()
return -1
if ($?);
}
#
# If the source is from the vnode, headed to the local control
# net, no need for any NAT; just let it through.
#
mysystem2("$IPTABLES -t nat -A POSTROUTING -j ACCEPT " .
" -s $vnode_ip -d $network/$cnet_mask");
return -1
if ($?);
#
# Otherwise, setup NAT so that traffic leaving the vnode on its
# control net IP, that has been routed out the phys host's
# control net iface, is NAT'd to the phys host's control
# net IP, using SNAT.
#
mysystem2("$IPTABLES -t nat -A POSTROUTING ".
" -s $vnode_ip -o $bridge -j SNAT --to-source $host_ip");
return 0;
}
......@@ -223,6 +254,12 @@ sub Offline()
" -o $bridge");
}
mysystem2("$IPTABLES -t nat -D POSTROUTING -j ACCEPT " .
" -s $vnode_ip -d $network/$cnet_mask");
mysystem2("$IPTABLES -t nat -D POSTROUTING ".
" -s $vnode_ip -o $bridge -j SNAT --to-source $host_ip");
# evproxy
mysystem2("$IPTABLES -t nat -D PREROUTING -j DNAT -p tcp ".
" --dport $EVPROXY_PORT -d $ops_ip -s $vnode_ip ".
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment