All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

setup-linuxbridge-node.sh 16.1 KB
Newer Older
1 2 3
#!/bin/sh

#
4
# This sets up linuxbridge networks (on neutron, the external and data
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
# networks).  The networkmanager and compute nodes' physical interfaces
# have to get moved into br-ex and br-int, respectively -- on the
# moonshots, that's eth0 and eth1.  The controller is special; it doesn't
# get an openvswitch setup, and gets eth1 10.0.0.3/8 .  The networkmanager
# is also special; it gets eth1 10.0.0.1/8, but its eth0 moves into br-ex,
# and its eth1 moves into br-int.  The compute nodes get IP addrs from
# 10.0.1.1/8 and up, but setup-ovs.sh determines that.
#

set -x

# Gotta know the rules!
if [ $EUID -ne 0 ] ; then
    echo "This script must be run as root" 1>&2
    exit 1
fi

# Grab our libs
. "`dirname $0`/setup-lib.sh"

25 26
logtstart "linuxbridge-node"

27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
#
# Figure out which interfaces need to go where.  We already have 
# $EXTERNAL_NETWORK_INTERFACE from setup-lib.sh , and it and its configuration
# get applied to br-ex .  So, we need to find which interface corresponds to
# DATALAN on this node, if any, and move it (and its configuration OR its new
# new DATAIP iff USE_EXISTING_IPS was set) to br-int
#
EXTERNAL_NETWORK_BRIDGE="br-ex"

#
# If this is the controller, we don't have to do much network setup; just
# setup the data network with its IP.
#
#if [ "$HOSTNAME" = "$CONTROLLER" ]; then
#    if [ ${USE_EXISTING_IPS} -eq 0 ]; then
#	ifconfig ${DATA_NETWORK_INTERFACE} $DATAIP netmask 255.0.0.0 up
#    fi
#    exit 0;
#fi

#
# Grab our control net info before we change things around.
#
if [ ! -f $OURDIR/ctlnet.vars ]; then
    ctlip="$MYIP"
52 53
    ctlmac=`ip -o link show ${EXTERNAL_NETWORK_INTERFACE} | sed -n -e 's/^.*link\/ether \([0-9a-fA-F:]*\) .*$/\1/p'`
    ctlstrippedmac=`echo $ctlmac | sed -e 's/://g'`
54
    ctlnetmask=`ifconfig ${EXTERNAL_NETWORK_INTERFACE} | sed -n -e 's/^.*mask[: ]\([0-9]*.[0-9]*.[0-9]*.[0-9]*\).*$/\1/ip'`
55 56
    ctlgw=`ip route show default | sed -n -e 's/^default via \([0-9]*.[0-9]*.[0-9]*.[0-9]*\).*$/\1/p'`
    ctlnet=`ip route show dev ${EXTERNAL_NETWORK_INTERFACE} | sed -n -e 's/^\([0-9]*.[0-9]*.[0-9]*.[0-9]*\/[0-9]*\) .*$/\1/p'`
57
    ctlprefix=`echo $ctlnet | cut -d/ -f2`
58 59

    echo "ctlip=\"$ctlip\"" > $OURDIR/ctlnet.vars
60 61
    echo "ctlmac=\"$ctlmac\"" >> $OURDIR/ctlnet.vars
    echo "ctlstrippedmac=\"$ctlstrippedmac\"" >> $OURDIR/ctlnet.vars
62 63 64
    echo "ctlnetmask=\"$ctlnetmask\"" >> $OURDIR/ctlnet.vars
    echo "ctlgw=\"$ctlgw\"" >> $OURDIR/ctlnet.vars
    echo "ctlnet=\"$ctlnet\"" >> $OURDIR/ctlnet.vars
65
    echo "ctlprefix=\"$ctlprefix\"" >> $OURDIR/ctlnet.vars
66 67 68 69
else
    . $OURDIR/ctlnet.vars
fi

70 71 72 73 74 75 76 77 78 79 80 81 82 83 84
modprobe bridge

#
# Setup the external network
#
brctl addbr ${EXTERNAL_NETWORK_BRIDGE}
brctl addif ${EXTERNAL_NETWORK_BRIDGE} ${EXTERNAL_NETWORK_INTERFACE}

#
# Now move the $EXTERNAL_NETWORK_INTERFACE and default route config to ${EXTERNAL_NETWORK_BRIDGE}
#
ifconfig ${EXTERNAL_NETWORK_INTERFACE} 0 up
ifconfig ${EXTERNAL_NETWORK_BRIDGE} $ctlip netmask $ctlnetmask up
route add default gw $ctlgw

85 86 87
#
# Make the configuration for the $EXTERNAL_NETWORK_INTERFACE be static.
#
88
DNSDOMAIN=`hostname | cut -d. -f4-100`
89 90 91 92 93 94
DNSSERVER=`cat /etc/resolv.conf | grep nameserver | head -1 | awk '{ print $2 }'`

#
# We need to blow away the Emulab config -- no more dhcp
# This would definitely break experiment modify, of course
#
95 96
if [ $DISTRIB_MAJOR -lt 18 ]; then
    cat <<EOF > /etc/network/interfaces
97 98 99 100 101 102 103 104 105 106
#
# Openstack Network Node in Cloudlab/Emulab/Apt/Federation
#

# The loopback network interface
auto lo
iface lo inet loopback

auto ${EXTERNAL_NETWORK_INTERFACE}
iface ${EXTERNAL_NETWORK_INTERFACE} inet static
107 108 109 110 111
    address 0.0.0.0

auto ${EXTERNAL_NETWORK_BRIDGE}
iface ${EXTERNAL_NETWORK_BRIDGE} inet static
    bridge_ports ${EXTERNAL_NETWORK_INTERFACE}
112 113 114 115 116
    address $ctlip
    netmask $ctlnetmask
    gateway $ctlgw
    dns-search $DNSDOMAIN
    dns-nameservers $DNSSERVER
117
    up echo "${EXTERNAL_NETWORK_BRIDGE}" > /var/run/cnet
118
    up echo "${EXTERNAL_NETWORK_INTERFACE}" > /var/emulab/boot/controlif
119
EOF
120 121 122
else
    mv /etc/udev/rules.d/99-emulab-networkd.rules \
        /etc/udev/rules.d/99-emulab-networkd.rules.NO
123
    systemctl disable emulab-udev-settle.service
124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151
    cat <<EOF >/etc/systemd/system/testbed-pre-static-control-network.service
[Unit]
Description=Testbed Static Control Network Services
After=network.target network-online.target local-fs.target
Wants=network.target
Before=testbed.service
Before=pubsubd.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=$OURDIR/testbed-pre-static-control-network.sh
StandardOutput=journal+console
StandardError=journal+console

[Install]
WantedBy=multi-user.target
WantedBy=testbed.service
WantedBy=pubsubd.service
EOF
    cat <<EOF >$OURDIR/testbed-pre-static-control-network.sh
#!/bin/sh

#
# These are just the things we cannot do via hook from systemd-networkd,
# that were previously done in /etc/network/interfaces via "up" hook.
#
echo "${EXTERNAL_NETWORK_BRIDGE}" > /var/run/cnet
152
echo "${EXTERNAL_NETWORK_INTERFACE}" > /var/emulab/boot/controlif
153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181
EOF
    chmod 755 $OURDIR/testbed-pre-static-control-network.sh
    systemctl daemon-reload
    cat <<EOF >/etc/systemd/network/${EXTERNAL_NETWORK_BRIDGE}.netdev
[NetDev]
Name=${EXTERNAL_NETWORK_BRIDGE}
Kind=bridge
EOF
    cat <<EOF >/etc/systemd/network/${EXTERNAL_NETWORK_INTERFACE}.network
[Match]
Name=${EXTERNAL_NETWORK_INTERFACE}

[Network]
Bridge=${EXTERNAL_NETWORK_BRIDGE}
EOF
    cat <<EOF >/etc/systemd/network/${EXTERNAL_NETWORK_BRIDGE}.network
[Match]
Name=${EXTERNAL_NETWORK_BRIDGE}

[Network]
Description=OpenStack External Network Bridge
DHCP=no
Address=$ctlip/$ctlprefix
Gateway=$ctlgw
DNS=$DNSSERVER
Domains=$DNSDOMAIN
IPForward=yes
EOF
fi
182

183 184
# Also restart slothd so it listens on the new control iface.
echo "${EXTERNAL_NETWORK_BRIDGE}" > /var/run/cnet
185
echo "${EXTERNAL_NETWORK_INTERFACE}" > /var/emulab/boot/controlif
186 187 188 189 190
/usr/local/etc/emulab/rc/rc.slothd stop
pkill slothd
sleep 1
/usr/local/etc/emulab/rc/rc.slothd start

191 192 193 194
#
# Add the management network config if necessary (if not, it's already a VPN)
#
if [ ! -z "$MGMTLAN" ]; then
195 196
    if [ $DISTRIB_MAJOR -lt 18 ]; then
	cat <<EOF >> /etc/network/interfaces
197 198 199 200 201

auto ${MGMT_NETWORK_INTERFACE}
iface ${MGMT_NETWORK_INTERFACE} inet static
    address $MGMTIP
    netmask $MGMTNETMASK
202 203
    up mkdir -p /var/run/emulab
    up echo "${MGMT_NETWORK_INTERFACE} $MGMTIP $MGMTMAC" > /var/run/emulab/interface-done-$MGMTMAC
204
EOF
205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222
    else
	cat <<EOF >/etc/systemd/network/${MGMT_NETWORK_INTERFACE}.network
[Match]
Name=${MGMT_NETWORK_INTERFACE}

[Network]
Description=OpenStack Management Network
DHCP=no
Address=$MGMTIP/$MGMTPREFIX
IPForward=yes
EOF
	cat <<EOF >>$OURDIR/testbed-pre-static-control-network.sh

mkdir -p /var/run/emulab
echo "${MGMT_NETWORK_INTERFACE} $MGMTIP $MGMTMAC" > /var/run/emulab/interface-done-$MGMTMAC
EOF
    fi
    
223
    if [ -n "$MGMTVLANDEV" ]; then
224 225
	if [ $DISTRIB_MAJOR -lt 18 ]; then
	    cat <<EOF >> /etc/network/interfaces
226 227
    vlan-raw-device ${MGMTVLANDEV}
EOF
228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251
	else
	    cat <<EOF >/etc/systemd/network/${MGMT_NETWORK_INTERFACE}.netdev
[NetDev]
Name=${MGMT_NETWORK_INTERFACE}
Kind=vlan

[VLAN]
Id=$MGMTVLANTAG
EOF
	    if [ ! -e /etc/systemd/network/${MGMTVLANDEV}.network ]; then
		cat <<EOF >/etc/systemd/network/${MGMTVLANDEV}.network
[Match]
Name=${MGMTVLANDEV}

[Network]
DHCP=no
VLAN=${MGMT_NETWORK_INTERFACE}
EOF
	    else
		cat <<EOF >>/etc/systemd/network/${MGMTVLANDEV}.network
VLAN=${MGMT_NETWORK_INTERFACE}
EOF
	    fi
	fi
252 253 254 255 256 257 258 259 260 261
    fi
fi

#
# (Maybe) Setup the flat data networks
#
for lan in $DATAFLATLANS ; do
    # suck in the vars we'll use to configure this one
    . $OURDIR/info.$lan

262 263 264 265 266
    NETINTVLANSTR=""
    if [ -n "$DATAVLANDEV" ]; then
	NETINTVLANSTR="vlan-raw-device ${DATAVLANDEV}"
    fi

267 268 269 270 271 272 273 274
    if [ $LINUXBRIDGE_STATIC -eq 1 ]; then
	brctl addbr ${DATABRIDGE}
	brctl addif ${DATABRIDGE} ${DATADEV}
	ifconfig ${DATADEV} 0 up
	ifconfig ${DATABRIDGE} $DATAIP netmask $DATANETMASK up
        # XXX!
        #route add -net 10.0.0.0/8 dev ${DATA_NETWORK_BRIDGE}

275 276
	if [ $DISTRIB_MAJOR -lt 18 ]; then
	    cat <<EOF >> /etc/network/interfaces
277 278 279 280

auto ${DATADEV}
iface ${DATADEV} inet static
    address 0.0.0.0
281
    $NETINTVLANSTR
282 283 284 285 286 287 288 289 290

auto ${DATABRIDGE}
iface ${DATABRIDGE} inet static
    bridge_ports ${DATADEV}
    address $DATAIP
    netmask $DATANETMASK
    up mkdir -p /var/run/emulab
    up echo "${DATABRIDGE} $DATAIP $DATAMAC" > /var/run/emulab/interface-done-$DATAMAC
EOF
291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319
	else
	    cat <<EOF >/etc/systemd/network/${DATABRIDGE}.netdev
[NetDev]
Name=${DATABRIDGE}
Kind=bridge
EOF
	    cat <<EOF >/etc/systemd/network/${DATADEV}.network
[Match]
Name=${DATADEV}

[Network]
Bridge=${DATABRIDGE}
EOF
	    cat <<EOF >/etc/systemd/network/${DATABRIDGE}.network
[Match]
Name=${DATABRIDGE}

[Network]
Description=OpenStack Network Bridge
DHCP=no
Address=$DATAIP/$DATAPREFIX
IPForward=yes
EOF
	    cat <<EOF >>$OURDIR/testbed-pre-static-control-network.sh

mkdir -p /var/run/emulab
echo "${DATABRIDGE} $DATAIP $DATAMAC" > /var/run/emulab/interface-done-$DATAMAC
EOF
	fi
320
    else
321 322
	if [ $DISTRIB_MAJOR -lt 18 ]; then
	    cat <<EOF >> /etc/network/interfaces
323 324 325 326 327

auto ${DATADEV}
iface ${DATADEV} inet static
    address $DATAIP
    netmask $DATANETMASK
328
    $NETINTVLANSTR
329 330
    up mkdir -p /var/run/emulab
    up echo "${DATADEV} $DATAIP $DATAMAC" > /var/run/emulab/interface-done-$DATAMAC
331
EOF
332 333 334 335
	else
	    cat <<EOF >/etc/systemd/network/${DATADEV}.network
[Match]
Name=${DATADEV}
336

337 338
[Network]
Address=$DATAIP/$DATAPREFIX
339
EOF
340 341 342 343
	    cat <<EOF >>$OURDIR/testbed-pre-static-control-network.sh

mkdir -p /var/run/emulab
echo "${DATABRIDGE} $DATAIP $DATAMAC" > /var/run/emulab/interface-done-$DATAMAC
344 345 346 347 348 349 350
EOF
	fi
    fi

    # Handle vlan dev for $DATAVLANDEV case
    if [ $DISTRIB_MAJOR -ge 18 -a -n "$DATAVLANDEV" ]; then
	cat <<EOF >/etc/systemd/network/${DATADEV}.netdev
David Johnson's avatar
David Johnson committed
351
[NetDev]
352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369
Name=${DATADEV}
Kind=vlan

[VLAN]
Id=${DATAVLANTAG}
EOF
	if [ ! -e /etc/systemd/network/${DATAVLANDEV}.network ]; then
	    cat <<EOF >/etc/systemd/network/${DATAVLANDEV}.network
[Match]
Name=${MGMTVLANDEV}

[Network]
DHCP=no
VLAN=${DATADEV}
EOF
	else
	    cat <<EOF >>/etc/systemd/network/${DATAVLANDEV}.network
VLAN=${DATADEV}
370 371
EOF
	fi
372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387
    fi
done

#
# (Maybe) Setup the VLAN data networks.
# Note, these are for the case where we're giving openstack the chance
# to manage these networks... so we delete the emulab-created vlan devices,
# create an openvswitch switch for the vlan device, and just add the physical
# device as a port.  Simple.
#
for lan in $DATAVLANS ; do
    # suck in the vars we'll use to configure this one
    . $OURDIR/info.$lan

    ifconfig $DATADEV down
    vconfig rem $DATADEV
388 389 390 391 392 393 394 395 396 397

    if [ $LINUXBRIDGE_STATIC -eq 1 ]; then
        # If the bridge exists, we've already done it (we might have
        # multiplexed (trunked) more than one vlan across this physical
        # device).
	brctl addbr ${DATABRIDGE}
	brctl addif ${DATABRIDGE} ${DATAVLANDEV}

	grep "^auto ${DATAVLANDEV}$" /etc/network/interfaces
	if [ ! $? -eq 0 ]; then
398 399
	    if [ $DISTRIB_MAJOR -lt 18 ]; then
		cat <<EOF >> /etc/network/interfaces
400 401 402 403 404 405 406 407 408
auto ${DATAVLANDEV}
iface ${DATAVLANDEV} inet static
    #address 0.0.0.0
    up mkdir -p /var/run/emulab
    # Just touch it, don't put iface/inet/mac into it; the vlans atop this
    # device are being used natively by openstack.  So just let Emulab setup
    # to not setup any of these vlans.
    up touch /var/run/emulab/interface-done-$DATAPMAC
EOF
409 410 411 412 413 414 415 416 417 418
	    else
		cat <<EOF >/etc/systemd/network/${DATAVLANDEV}.network
[Match]
Name=${DATAVLANDEV}

[Network]
Description=OpenStack Data VLAN Physical Interface
DHCP=no
EOF
	    fi
419 420
	fi
    fi
421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439
done

#else
#    ifconfig ${DATA_NETWORK_INTERFACE} $DATAIP netmask 255.0.0.0 up
#
#    cat <<EOF >> /etc/network/interfaces
#
#auto ${DATA_NETWORK_INTERFACE}
#iface ${DATA_NETWORK_INTERFACE} inet static
#    address $DATAIP
#    netmask $DATANETMASK
#EOF
#    if [ -n "$DATAVLANDEV" ]; then
#	cat <<EOF >> /etc/network/interfaces
#    vlan-raw-device ${DATAVLANDEV}
#EOF
#    fi
#fi

440 441 442
# Flush the routing cache
ip route flush cache

443 444 445 446 447
#
# Set the hostname for later after reboot!
#
echo `hostname` > /etc/hostname

448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470
grep -q DYNRUNDIR /etc/emulab/paths.sh
if [ $? -eq 0 ]; then
    echo "*** Hooking Emulab rc.hostnames boot script..."
    mkdir -p $OURDIR/bin
    touch $OURDIR/bin/rc.hostnames-openstack
    chmod 755 $OURDIR/bin/rc.hostnames-openstack
    cat <<EOF >$OURDIR/bin/rc.hostnames-openstack
#!/bin/sh

cp -p $OURDIR/mgmt-hosts /var/run/emulab/hosts.head
exit 0
EOF

    mkdir -p /etc/emulab/run/rcmanifest.d
    touch /etc/emulab/run/rcmanifest.d/0.openstack-rcmanifest.sh
    cat <<EOF >> /etc/emulab/run/rcmanifest.d/0.openstack-rcmanifest.sh
HOOK SERVICE=rc.hostnames ENV=boot WHENCE=every OP=boot POINT=pre FATAL=0 FILE=$OURDIR/bin/rc.hostnames-openstack ARGV="" 
EOF
else
    echo "*** Nullifying Emulab rc.hostnames and rc.ifconfig services!"
    mv /usr/local/etc/emulab/rc/rc.hostnames /usr/local/etc/emulab/rc/rc.hostnames.NO
    mv /usr/local/etc/emulab/rc/rc.ifconfig /usr/local/etc/emulab/rc/rc.ifconfig.NO
fi
471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497

if [ ! ${HAVE_SYSTEMD} -eq 0 ] ; then
    # Maybe this is helpful too
    update-rc.d networking remove
    update-rc.d networking defaults
    # This seems to block systemd from doing its job...
    systemctl disable ifup-wait-emulab-cnet.service
    systemctl mask ifup-wait-emulab-cnet.service
    systemctl stop ifup-wait-emulab-cnet.service

    systemctl daemon-reload
fi

#
# Install a basic ARP reply filter that prevents us from sending ARP replies on
# the control net for anything we're not allowed to use (i.e., we can reply for
# ourselves, and any public addresses we're allowed to use).  Really, we only
# need the public address part on the network manager, but may as well let
# any node reply as any public address we're allowed to use).
#

# Cheat and use our IPADDR/NETMASK instead of NETWORK/NETMASK below...
OURNET=`ip addr show br-ex | sed -n -e 's/.*inet \([0-9\.\/]*\) .*/\1/p'`
# Grab the port that corresponds to our
OURPORT=`ovs-ofctl show br-ex | sed -n -e "s/[ \t]*\([0-9]*\)(${EXTERNAL_NETWORK_INTERFACE}.*\$/\1/p"`

#
498 499
# Ok, make the anti-ARP spoofing rules live, and ensure they get
# saved/loaded across reboot.
500
#
501 502 503
maybe_install_packages ebtables
service_enable ebtables
service_restart ebtables
504

505
ebtables -A FORWARD -p 0x0806 --arp-opcode 2 --arp-ip-src ${ctlip} -j ACCEPT
506
ebtables -A OUTPUT -p 0x0806 --arp-opcode 2 --arp-ip-src ${ctlip} -j ACCEPT
507 508

for addr in $PUBLICADDRS ; do
509
    ebtables -A FORWARD -p 0x0806 --arp-opcode 2 --arp-ip-src ${addr} -j ACCEPT
510
    ebtables -A OUTPUT -p 0x0806 --arp-opcode 2 --arp-ip-src ${addr} -j ACCEPT
511
done
512

513
# Allow any inbound ARP replies on the control network.
514
ebtables -A FORWARD -p 0x0806 --arp-opcode 2 --arp-ip-src ${OURNET} --in-interface ${EXTERNAL_NETWORK_INTERFACE} -j ACCEPT
515 516

# Drop any other control network addr ARP replies on the br-ex switch.
517
ebtables -A FORWARD -p 0x0806 --arp-opcode 2 --arp-ip-src ${OURNET} -j DROP
518
ebtables -A OUTPUT -p 0x0806 --arp-opcode 2 --arp-ip-src ${OURNET} -j DROP
519 520

# Also, drop Emulab vnode control network addr ARP replies on br-ex!
521
ebtables -A FORWARD -p 0x0806 --arp-opcode 2 --arp-ip-src 172.16.0.0/12 -j DROP
522 523
ebtables -A OUTPUT -p 0x0806 --arp-opcode 2 --arp-ip-src 172.16.0.0/12 -j DROP

524 525 526 527 528 529 530 531
# Setup the service to actually save/restore
cat <<EOF > /etc/default/ebtables
EBTABLES_MODULES_UNLOAD="yes"
EBTABLES_LOAD_ON_START="yes"
EBTABLES_SAVE_ON_STOP="yes"
EBTABLES_SAVE_ON_RESTART="yes"
EOF

532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558
#
# NB: but we can't use ebtables to block locally-generated ARP, apparently?
# So use arptables for that!
#
maybe_install_packages arptables
# But there is no save/restore service; so add one
if [ ! -f /etc/init.d/arptables ]; then
    cp $DIRNAME/etc/arptables-initscript /etc/init.d/arptables
    chmod 755 /etc/init.d/arptables
fi
if [ ! ${HAVE_SYSTEMD} -eq 0 ] ; then
    systemctl daemon-reload
fi
service_enable arptables
service_restart arptables

arptables -A OUTPUT --opcode 2 -s ${ctlip} -j ACCEPT

for addr in $PUBLICADDRS ; do
    arptables -A OUTPUT --opcode 2 -s ${addr} -j ACCEPT
done

# Drop any other control network addr ARP replies on the br-ex switch.
arptables -A OUTPUT --opcode 2 -s ${OURNET} -j DROP

# Also, drop Emulab vnode control network addr ARP replies on br-ex!
arptables -A OUTPUT --opcode 2 -s 172.16.0.0/12 -j DROP
559

560 561 562 563 564 565 566 567
# Setup the service to actually save/restore
cat <<EOF > /etc/default/arptables
ARPTABLES_MODULES_UNLOAD="yes"
ARPTABLES_LOAD_ON_START="yes"
ARPTABLES_SAVE_ON_STOP="yes"
ARPTABLES_SAVE_ON_RESTART="yes"
EOF

568
logtend "linuxbridge-node"
569 570

exit 0