60
61
cfg.StrOpt('dns_server',
62
63
help='if set, uses specific dns server for dnsmasq'),
63
cfg.StrOpt('dmz_cidr',
64
default='10.128.0.0/24',
65
help='dmz range that should be accepted'),
64
cfg.ListOpt('dmz_cidr',
66
help='A list of dmz range that should be accepted'),
66
67
cfg.StrOpt('dnsmasq_config_file',
68
69
help='Override the default dnsmasq settings with this file'),
69
70
cfg.StrOpt('linuxnet_interface_driver',
70
71
default='nova.network.linux_net.LinuxBridgeInterfaceDriver',
213
214
self.rules.remove(IptablesRule(chain, rule, wrap, top))
214
215
except ValueError:
215
LOG.debug(_('Tried to remove rule that was not there:'
216
' %(chain)r %(rule)r %(wrap)r %(top)r'),
217
{'chain': chain, 'rule': rule,
218
'top': top, 'wrap': wrap})
216
LOG.warn(_('Tried to remove rule that was not there:'
217
' %(chain)r %(rule)r %(wrap)r %(top)r'),
218
{'chain': chain, 'rule': rule,
219
'top': top, 'wrap': wrap})
220
221
def empty_chain(self, chain, wrap=True):
221
222
"""Remove all rules from a chain."""
445
446
'-s %s -d %s/32 -j ACCEPT' %
446
447
(ip_range, FLAGS.metadata_host))
448
iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
449
'-s %s -d %s -j ACCEPT' %
450
(ip_range, FLAGS.dmz_cidr))
449
for dmz in FLAGS.dmz_cidr:
450
iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
451
'-s %s -d %s -j ACCEPT' %
452
454
iptables_manager.ipv4['nat'].add_rule('POSTROUTING',
453
455
'-s %(range)s -d %(range)s '
493
495
'--dport %s -j DNAT --to %s:1194' %
494
496
(public_ip, port, private_ip))
495
iptables_manager.ipv4['nat'].add_rule("OUTPUT",
497
"--dport %s -j DNAT --to %s:1194" %
497
iptables_manager.ipv4['nat'].add_rule('OUTPUT',
499
'--dport %s -j DNAT --to %s:1194' %
498
500
(public_ip, port, private_ip))
499
501
iptables_manager.apply()
551
555
check_exit_code=[0, 7])
552
556
for ip_params in old_ip_params:
553
557
_execute(*_ip_bridge_cmd('del', ip_params, dev),
554
run_as_root=True, check_exit_code=[0, 2, 254])
558
run_as_root=True, check_exit_code=[0, 2, 254])
555
559
for ip_params in new_ip_params:
556
560
_execute(*_ip_bridge_cmd('add', ip_params, dev),
557
run_as_root=True, check_exit_code=[0, 2, 254])
561
run_as_root=True, check_exit_code=[0, 2, 254])
559
563
_execute('route', 'add', 'default', 'gw', gateway,
560
564
run_as_root=True, check_exit_code=[0, 7])
561
565
if FLAGS.send_arp_for_ha:
562
566
_execute('arping', '-U', network_ref['dhcp_server'],
564
'-c', 1, run_as_root=True, check_exit_code=False)
568
'-c', 1, run_as_root=True, check_exit_code=False)
565
569
if(FLAGS.use_ipv6):
566
570
_execute('ip', '-f', 'inet6', 'addr',
567
'change', network_ref['cidr_v6'],
568
'dev', dev, run_as_root=True)
571
'change', network_ref['cidr_v6'],
572
'dev', dev, run_as_root=True)
571
575
def get_dhcp_leases(context, network_ref):
754
758
_execute('kill', pid, run_as_root=True)
755
759
except Exception as exc: # pylint: disable=W0703
756
LOG.debug(_('killing radvd threw %s'), exc)
760
LOG.error(_('killing radvd threw %s'), exc)
758
762
LOG.debug(_('Pid %d is stale, relaunching radvd'), pid)
790
794
data['instance_hostname'],
791
795
FLAGS.dhcp_domain,
793
"net:" + _host_dhcp_network(data))
797
'net:' + _host_dhcp_network(data))
795
799
return '%s,%s.%s,%s' % (data['vif_address'],
796
800
data['instance_hostname'],
815
819
def _device_exists(device):
816
820
"""Check if ethernet device exists."""
817
821
(_out, err) = _execute('ip', 'link', 'show', 'dev', device,
818
check_exit_code=False)
822
check_exit_code=False, run_as_root=True)
971
976
# (danwent) the bridge will inherit this address, so we want to
972
977
# make sure it is the value set from the NetworkManager
974
_execute('ip', 'link', 'set', interface, "address",
975
mac_address, run_as_root=True)
979
_execute('ip', 'link', 'set', interface, 'address',
980
mac_address, run_as_root=True)
976
981
_execute('ip', 'link', 'set', interface, 'up', run_as_root=True)
977
982
if FLAGS.network_device_mtu:
978
983
_execute('ip', 'link', 'set', interface, 'mtu',
1011
1016
out, err = _execute('brctl', 'addif', bridge, interface,
1012
check_exit_code=False, run_as_root=True)
1017
check_exit_code=False, run_as_root=True)
1014
1019
# NOTE(vish): This will break if there is already an ip on the
1015
1020
# interface, so we move any ips to the bridge
1030
1035
if fields and fields[0] == 'inet':
1031
1036
params = fields[1:-1]
1032
1037
_execute(*_ip_bridge_cmd('del', params, fields[-1]),
1033
run_as_root=True, check_exit_code=[0, 2, 254])
1038
run_as_root=True, check_exit_code=[0, 2, 254])
1034
1039
_execute(*_ip_bridge_cmd('add', params, bridge),
1035
run_as_root=True, check_exit_code=[0, 2, 254])
1040
run_as_root=True, check_exit_code=[0, 2, 254])
1036
1041
if old_gateway:
1037
1042
_execute('route', 'add', 'default', 'gw', old_gateway,
1038
1043
run_as_root=True, check_exit_code=[0, 7])
1040
1045
if (err and err != "device %s is already a member of a bridge;"
1041
1046
"can't enslave it to bridge %s.\n" % (interface, bridge)):
1042
raise exception.Error('Failed to add interface: %s' % err)
1047
msg = _('Failed to add interface: %s') % err
1048
raise exception.NovaException(msg)
1044
1050
# Don't forward traffic unless we were told to be a gateway
1045
1051
ipv4_filter = iptables_manager.ipv4['filter']
1063
1069
if not _device_exists(dev):
1064
1070
bridge = FLAGS.linuxnet_ovs_integration_bridge
1065
1071
_execute('ovs-vsctl',
1066
'--', '--may-exist', 'add-port', bridge, dev,
1067
'--', 'set', 'Interface', dev, "type=internal",
1068
'--', 'set', 'Interface', dev,
1069
"external-ids:iface-id=%s" % dev,
1070
'--', 'set', 'Interface', dev,
1071
"external-ids:iface-status=active",
1072
'--', 'set', 'Interface', dev,
1073
"external-ids:attached-mac=%s" % mac_address,
1075
_execute('ip', 'link', 'set', dev, "address", mac_address,
1072
'--', '--may-exist', 'add-port', bridge, dev,
1073
'--', 'set', 'Interface', dev, 'type=internal',
1074
'--', 'set', 'Interface', dev,
1075
'external-ids:iface-id=%s' % dev,
1076
'--', 'set', 'Interface', dev,
1077
'external-ids:iface-status=active',
1078
'--', 'set', 'Interface', dev,
1079
'external-ids:attached-mac=%s' % mac_address,
1081
_execute('ip', 'link', 'set', dev, 'address', mac_address,
1077
1083
if FLAGS.network_device_mtu:
1078
1084
_execute('ip', 'link', 'set', dev, 'mtu',
1079
1085
FLAGS.network_device_mtu, run_as_root=True)
1082
1088
# If we weren't instructed to act as a gateway then add the
1083
1089
# appropriate flows to block all non-dhcp traffic.
1084
1090
_execute('ovs-ofctl',
1085
'add-flow', bridge, "priority=1,actions=drop",
1091
'add-flow', bridge, 'priority=1,actions=drop',
1087
1093
_execute('ovs-ofctl', 'add-flow', bridge,
1088
"udp,tp_dst=67,dl_dst=%s,priority=2,actions=normal" %
1089
mac_address, run_as_root=True)
1094
'udp,tp_dst=67,dl_dst=%s,priority=2,actions=normal' %
1095
mac_address, run_as_root=True)
1090
1096
# .. and make sure iptbles won't forward it as well.
1091
1097
iptables_manager.ipv4['filter'].add_rule('FORWARD',
1092
1098
'--in-interface %s -j DROP' % bridge)
1104
1110
dev = self.get_dev(network)
1105
1111
bridge = FLAGS.linuxnet_ovs_integration_bridge
1106
1112
_execute('ovs-vsctl', '--', '--if-exists', 'del-port',
1107
bridge, dev, run_as_root=True)
1113
bridge, dev, run_as_root=True)
1110
1116
def get_dev(self, network):
1111
dev = "gw-" + str(network['uuid'][0:11])
1117
dev = 'gw-' + str(network['uuid'][0:11])
1115
1121
# plugs interfaces using Linux Bridge when using QuantumManager
1116
1122
class QuantumLinuxBridgeInterfaceDriver(LinuxNetInterfaceDriver):
1118
BRIDGE_NAME_PREFIX = "brq"
1119
GATEWAY_INTERFACE_PREFIX = "gw-"
1124
BRIDGE_NAME_PREFIX = 'brq'
1125
GATEWAY_INTERFACE_PREFIX = 'gw-'
1121
1127
def plug(self, network, mac_address, gateway=True):
1122
1128
dev = self.get_dev(network)
1143
1149
utils.execute('brctl', 'addbr', bridge, run_as_root=True)
1144
1150
utils.execute('brctl', 'setfd', bridge, str(0), run_as_root=True)
1145
1151
utils.execute('brctl', 'stp', bridge, 'off', run_as_root=True)
1146
utils.execute('ip', 'link', 'set', bridge, "address", mac_address,
1152
utils.execute('ip', 'link', 'set', bridge, 'address', mac_address,
1147
1153
run_as_root=True)
1148
1154
utils.execute('ip', 'link', 'set', bridge, 'up', run_as_root=True)
1149
1155
LOG.debug(_("Done starting bridge %s"), bridge)
1151
full_ip = '%s/%s' % (network['dhcp_server'],
1152
network['cidr'].rpartition('/')[2])
1153
utils.execute('ip', 'address', 'add', full_ip, 'dev', bridge,
1157
full_ip = '%s/%s' % (network['dhcp_server'],
1158
network['cidr'].rpartition('/')[2])
1159
utils.execute('ip', 'address', 'add', full_ip, 'dev', bridge,
1165
1171
utils.execute('ip', 'link', 'delete', dev, run_as_root=True)
1166
1172
except exception.ProcessExecutionError:
1167
LOG.warning(_("Failed unplugging gateway interface '%s'"),
1173
LOG.error(_("Failed unplugging gateway interface '%s'"), dev)
1170
1175
LOG.debug(_("Unplugged gateway interface '%s'"), dev)
1177
1182
# First, try with 'ip'
1178
1183
utils.execute('ip', 'tuntap', 'add', dev, 'mode', 'tap',
1180
1185
except exception.ProcessExecutionError:
1181
1186
# Second option: tunctl
1182
1187
utils.execute('tunctl', '-b', '-t', dev, run_as_root=True)
1183
1188
if mac_address:
1184
utils.execute('ip', 'link', 'set', dev, "address", mac_address,
1189
utils.execute('ip', 'link', 'set', dev, 'address', mac_address,
1185
1190
run_as_root=True)
1186
1191
utils.execute('ip', 'link', 'set', dev, 'up', run_as_root=True)