Commit d9d5e6a9 authored by Leigh B Stoller's avatar Leigh B Stoller

Changes for xen vif routing, also a couple of new rules

for elabinelab (multicast, apod).
parent 35aaf499
#!/usr/bin/perl -w #!/usr/bin/perl -w
# #
# Copyright (c) 2000-2013 University of Utah and the Flux Group. # Copyright (c) 2000-2014 University of Utah and the Flux Group.
# #
# {{{EMULAB-LICENSE # {{{EMULAB-LICENSE
# #
...@@ -66,24 +66,29 @@ my $TMCD_PORT = 7777; ...@@ -66,24 +66,29 @@ my $TMCD_PORT = 7777;
my $SLOTHD_PORT = 8509; my $SLOTHD_PORT = 8509;
my $EVPROXY_PORT= 16505; my $EVPROXY_PORT= 16505;
my $IPTABLES = "/sbin/iptables"; my $IPTABLES = "/sbin/iptables";
my $ARPING = "/usr/bin/arping";
# For testing.
my $VIFROUTING = ((-e "$ETCDIR/xenvifrouting") ? 1 : 0);
usage() usage()
if (@ARGV < 4); if (@ARGV < 5);
my $vmid = shift(@ARGV); my $vmid = shift(@ARGV);
my $host_ip = shift(@ARGV); my $host_ip = shift(@ARGV);
my $vnode_id = shift(@ARGV); my $vnode_id = shift(@ARGV);
my $vnode_ip = shift(@ARGV); my $vnode_ip = shift(@ARGV);
my $vnode_mac = shift(@ARGV);
# The caller (xmcreate) puts this into the environment. # The caller (xmcreate) puts this into the environment.
my $vif = $ENV{'vif'}; my $vif = $ENV{'vif'};
my $XENBUS_PATH = $ENV{'XENBUS_PATH'}; my $XENBUS_PATH = $ENV{'XENBUS_PATH'};
my $bridge = `xenstore-read "$XENBUS_PATH/bridge"`; my $bridge = `xenstore-read "$XENBUS_PATH/bridge"`;
# #
# Well, this is interesting; we could get called with the XEN store # Well, this is interesting; we are called with the XEN store
# gone and so not able to find the bridge. vif-bridge does the same # gone and so not able to find the bridge. vif-bridge does the same
# thing and just ignores it! So if we cannot get, default to what # thing and just ignores it! So if we cannot get it, default to what
# currently think is the control network bridge. # currently think is the control network bridge, so that vif-bridge
# does not leave a bunch of iptables rules behind.
# #
if ($?) { if ($?) {
$bridge = "xenbr0"; $bridge = "xenbr0";
...@@ -154,18 +159,44 @@ sub Online() ...@@ -154,18 +159,44 @@ sub Online()
{ {
mysystem2("ifconfig $vif txqueuelen 256"); mysystem2("ifconfig $vif txqueuelen 256");
if ($VIFROUTING) {
#
# When using routing instead of bridging, we have to restart
# dhcp *after* the vif has been created so that dhcpd will
# start listening on it.
#
if (TBScriptLock("dhcpd", 0, 900) != TBSCRIPTLOCK_OKAY()) {
print STDERR "Could not get the dhcpd lock after a long time!\n";
return -1;
}
restartDHCP();
TBScriptUnlock();
#
# And this clears the arp caches.
#
mysystem("$ARPING -c 4 -A -I $bridge $vnode_ip");
}
# Prevent dhcp requests from leaving the physical host. # Prevent dhcp requests from leaving the physical host.
DoIPtables("-A FORWARD -o $bridge -m pkttype ". DoIPtables("-A FORWARD -o $bridge -m pkttype ".
"--pkt-type broadcast " . "--pkt-type broadcast " .
"-m physdev --physdev-in $vif --physdev-is-bridged ". "-m physdev --physdev-in $vif --physdev-is-bridged ".
"--physdev-out $outer_controlif -j DROP") "--physdev-out $outer_controlif -j DROP")
== 0 or return -1; == 0 or return -1;
# #
# We ask vif-bridge to turn on antispoofing; this rule would negate that. # We turn on antispoofing. In bridge mode, vif-bridge adds a rule
# to allow outgoing traffic. But vif-route does this wrong, so we
# do it here. We also need an incoming rule since in route mode,
# incoming packets go throught the FORWARD table, which is set to
# DROP for antispoofing.
# #
if (0) { if ($VIFROUTING) {
DoIPtables("-A FORWARD -m physdev --physdev-in $vif -j ACCEPT") DoIPtables("-A FORWARD -i $vif -s $vnode_ip ".
" -m mac --mac-source $vnode_mac -j ACCEPT")
== 0 or return -1;
DoIPtables("-A FORWARD -o $vif -d $vnode_ip -j ACCEPT")
== 0 or return -1; == 0 or return -1;
} }
...@@ -268,6 +299,20 @@ sub Online() ...@@ -268,6 +299,20 @@ sub Online()
" -s $vnode_ip -d $network/$cnet_mask") " -s $vnode_ip -d $network/$cnet_mask")
== 0 or return -1; == 0 or return -1;
#
# Do not rewrite multicast (frisbee) traffic. Client throws up.
#
DoIPtables("-t nat -A POSTROUTING -j ACCEPT " .
" -s $vnode_ip -d 224.0.0.0/4")
== 0 or return -1;
#
# Ditto the apod packet.
#
DoIPtables("-t nat -A POSTROUTING -j ACCEPT ".
" -s $vnode_ip -m icmp --protocol icmp --icmp-type 6/6")
== 0 or return -1;
# #
# Boss/ops/fs specific rules in case the control network is # Boss/ops/fs specific rules in case the control network is
# segmented like it is in Utah. # segmented like it is in Utah.
...@@ -309,9 +354,10 @@ sub Offline() ...@@ -309,9 +354,10 @@ sub Offline()
"--physdev-out $outer_controlif -j DROP"); "--physdev-out $outer_controlif -j DROP");
# See above. # See above.
if (0) { if ($VIFROUTING) {
DoIPtables("-D FORWARD -m physdev ". DoIPtables("-D FORWARD -i $vif -s $vnode_ip ".
"--physdev-in $vif -j ACCEPT"); " -m mac --mac-source $vnode_mac -j ACCEPT");
DoIPtables("-D FORWARD -o $vif -d $vnode_ip -j ACCEPT");
} }
# tmcc # tmcc
...@@ -350,6 +396,12 @@ sub Offline() ...@@ -350,6 +396,12 @@ sub Offline()
DoIPtables("-t nat -D POSTROUTING -j ACCEPT " . DoIPtables("-t nat -D POSTROUTING -j ACCEPT " .
" -s $vnode_ip -d $boss_ip,$ops_ip"); " -s $vnode_ip -d $boss_ip,$ops_ip");
DoIPtables("-t nat -D POSTROUTING -j ACCEPT " .
" -s $vnode_ip -d 224.0.0.0/4");
DoIPtables("-t nat -D POSTROUTING -j ACCEPT ".
" -s $vnode_ip -m icmp --protocol icmp --icmp-type 6/6");
} }
DoIPtables("-t nat -D POSTROUTING ". DoIPtables("-t nat -D POSTROUTING ".
...@@ -379,7 +431,19 @@ if (@ARGV) { ...@@ -379,7 +431,19 @@ if (@ARGV) {
# First run the xen script to do the bridge interface. We do this # First run the xen script to do the bridge interface. We do this
# inside the lock since vif-bridge does some iptables stuff. # inside the lock since vif-bridge does some iptables stuff.
# #
mysystem2("/etc/xen/scripts/vif-bridge @ARGV"); # vif-bridge/vif-route has bugs that cause it to leave iptables
# rules behind. If we put this stuff into the environment, they
# will work properly.
#
$ENV{"ip"} = $vnode_ip;
if ($VIFROUTING) {
$ENV{"netdev"} = "xenbr0";
$ENV{"gatewaydev"} = "xenbr0";
mysystem2("/etc/xen/scripts/vif-route-emulab @ARGV");
}
else {
mysystem2("/etc/xen/scripts/vif-bridge @ARGV");
}
if ($?) { if ($?) {
TBScriptUnlock(); TBScriptUnlock();
exit(1); exit(1);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment