Commit c4923eba authored by David Johnson's avatar David Johnson

Work around Emulab Xen firewall rules preventing expt net traffic from escaping.

parent 82331f52
......@@ -252,6 +252,7 @@ if [ -z "\$VTAG" ]; then
echo "ERROR: fatal: could not find bridge for $agglan"
exit 1
fi
BRNAME=br\$VTAG
mkdir -p /etc/iproute2
echo $aggnum $aggprefix >> /etc/iproute2/rt_tables
......@@ -259,8 +260,10 @@ ip rule add from $agg_cidr table $aggprefix
ip rule add iif tun-$aggprefix to $agg_cidr table $aggprefix
ip route add $mlan_CIDR via $VPN_SERVER dev tun-$aggprefix table $aggprefix
ip route add 192.168.0.0/16 via $VPN_SERVER dev tun-$aggprefix table $aggprefix
ifconfig br\$VTAG $agg_gw netmask $agg_mask up
ip route add $agg_cidr dev br\$VTAG table $aggprefix
ifconfig \$BRNAME $agg_gw netmask $agg_mask up
ip route add $agg_cidr dev \$BRNAME table $aggprefix
iptables -I FORWARD -o tun-$aggprefix -i \$BRNAME -j ACCEPT
iptables -I FORWARD -i tun-$aggprefix -o \$BRNAME -j ACCEPT
EOF
chmod 755 /etc/openvpn/clients/$node-route-up.sh
cat <<EOF > /etc/openvpn/clients/$node-route-pre-down.sh
......@@ -277,11 +280,14 @@ if [ -z "\$VTAG" ]; then
echo "ERROR: fatal: could not find bridge for $agglan"
exit 1
fi
BRNAME=br\$VTAG
ip rule del from $agg_cidr table $aggprefix
ip rule del iif tun-$aggprefix to $agg_cidr table $aggprefix
ip route flush table $aggprefix
ifconfig br\$VTAG 0 up
ifconfig \$BRNAME 0 up
iptables -D FORWARD -o tun-$aggprefix -i \$BRNAME -j ACCEPT
iptables -D FORWARD -i tun-$aggprefix -o \$BRNAME -j ACCEPT
EOF
chmod 755 /etc/openvpn/clients/$node-route-pre-down.sh
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment