66
66
def metadata_forward():
67
67
"""Create forwarding rule for metadata"""
68
_confirm_rule("PREROUTING", "-t nat -s 0.0.0.0/0 "
69
"-d 169.254.169.254/32 -p tcp -m tcp --dport 80 -j DNAT "
70
"--to-destination %s:%s" % (FLAGS.ec2_dmz_host, FLAGS.ec2_port))
68
_confirm_rule("PREROUTING", '-t', 'nat', '-s', '0.0.0.0/0',
69
'-d', '169.254.169.254/32', '-p', 'tcp', '-m', 'tcp',
70
'--dport', '80', '-j', 'DNAT',
72
'%s:%s' % (FLAGS.ec2_dmz_host, FLAGS.ec2_port))
74
76
"""Basic networking setup goes here"""
76
78
if FLAGS.use_nova_chains:
77
_execute("sudo iptables -N nova_input", check_exit_code=False)
78
_execute("sudo iptables -D %s -j nova_input" % FLAGS.input_chain,
79
check_exit_code=False)
80
_execute("sudo iptables -A %s -j nova_input" % FLAGS.input_chain)
82
_execute("sudo iptables -N nova_forward", check_exit_code=False)
83
_execute("sudo iptables -D FORWARD -j nova_forward",
84
check_exit_code=False)
85
_execute("sudo iptables -A FORWARD -j nova_forward")
87
_execute("sudo iptables -N nova_output", check_exit_code=False)
88
_execute("sudo iptables -D OUTPUT -j nova_output",
89
check_exit_code=False)
90
_execute("sudo iptables -A OUTPUT -j nova_output")
92
_execute("sudo iptables -t nat -N nova_prerouting",
93
check_exit_code=False)
94
_execute("sudo iptables -t nat -D PREROUTING -j nova_prerouting",
95
check_exit_code=False)
96
_execute("sudo iptables -t nat -A PREROUTING -j nova_prerouting")
98
_execute("sudo iptables -t nat -N nova_postrouting",
99
check_exit_code=False)
100
_execute("sudo iptables -t nat -D POSTROUTING -j nova_postrouting",
101
check_exit_code=False)
102
_execute("sudo iptables -t nat -A POSTROUTING -j nova_postrouting")
104
_execute("sudo iptables -t nat -N nova_snatting",
105
check_exit_code=False)
106
_execute("sudo iptables -t nat -D POSTROUTING -j nova_snatting",
107
check_exit_code=False)
108
_execute("sudo iptables -t nat -A POSTROUTING -j nova_snatting")
110
_execute("sudo iptables -t nat -N nova_output", check_exit_code=False)
111
_execute("sudo iptables -t nat -D OUTPUT -j nova_output",
112
check_exit_code=False)
113
_execute("sudo iptables -t nat -A OUTPUT -j nova_output")
79
_execute('sudo', 'iptables', '-N', 'nova_input', check_exit_code=False)
80
_execute('sudo', 'iptables', '-D', FLAGS.input_chain,
82
check_exit_code=False)
83
_execute('sudo', 'iptables', '-A', FLAGS.input_chain,
85
_execute('sudo', 'iptables', '-N', 'nova_forward',
86
check_exit_code=False)
87
_execute('sudo', 'iptables', '-D', 'FORWARD', '-j', 'nova_forward',
88
check_exit_code=False)
89
_execute('sudo', 'iptables', '-A', 'FORWARD', '-j', 'nova_forward')
90
_execute('sudo', 'iptables', '-N', 'nova_output',
91
check_exit_code=False)
92
_execute('sudo', 'iptables', '-D', 'OUTPUT', '-j', 'nova_output',
93
check_exit_code=False)
94
_execute('sudo', 'iptables', '-A', 'OUTPUT', '-j', 'nova_output')
95
_execute('sudo', 'iptables', '-t', 'nat', '-N', 'nova_prerouting',
96
check_exit_code=False)
97
_execute('sudo', 'iptables', '-t', 'nat', '-D', 'PREROUTING',
98
'-j', 'nova_prerouting', check_exit_code=False)
99
_execute('sudo', 'iptables', '-t', 'nat', '-A', 'PREROUTING',
100
'-j', 'nova_prerouting')
101
_execute('sudo', 'iptables', '-t', 'nat', '-N', 'nova_postrouting',
102
check_exit_code=False)
103
_execute('sudo', 'iptables', '-t', 'nat', '-D', 'POSTROUTING',
104
'-j', 'nova_postrouting', check_exit_code=False)
105
_execute('sudo', 'iptables', '-t', 'nat', '-A', 'POSTROUTING',
106
'-j', 'nova_postrouting')
107
_execute('sudo', 'iptables', '-t', 'nat', '-N', 'nova_snatting',
108
check_exit_code=False)
109
_execute('sudo', 'iptables', '-t', 'nat', '-D', 'POSTROUTING',
110
'-j nova_snatting', check_exit_code=False)
111
_execute('sudo', 'iptables', '-t', 'nat', '-A', 'POSTROUTING',
112
'-j', 'nova_snatting')
113
_execute('sudo', 'iptables', '-t', 'nat', '-N', 'nova_output',
114
check_exit_code=False)
115
_execute('sudo', 'iptables', '-t', 'nat', '-D', 'OUTPUT',
116
'-j nova_output', check_exit_code=False)
117
_execute('sudo', 'iptables', '-t', 'nat', '-A', 'OUTPUT',
115
120
# NOTE(vish): This makes it easy to ensure snatting rules always
116
121
# come after the accept rules in the postrouting chain
117
_execute("sudo iptables -t nat -N SNATTING",
118
check_exit_code=False)
119
_execute("sudo iptables -t nat -D POSTROUTING -j SNATTING",
120
check_exit_code=False)
121
_execute("sudo iptables -t nat -A POSTROUTING -j SNATTING")
122
_execute('sudo', 'iptables', '-t', 'nat', '-N', 'SNATTING',
123
check_exit_code=False)
124
_execute('sudo', 'iptables', '-t', 'nat', '-D', 'POSTROUTING',
125
'-j', 'SNATTING', check_exit_code=False)
126
_execute('sudo', 'iptables', '-t', 'nat', '-A', 'POSTROUTING',
123
129
# NOTE(devcamcar): Cloud public SNAT entries and the default
124
130
# SNAT rule for outbound traffic.
125
_confirm_rule("SNATTING", "-t nat -s %s "
126
"-j SNAT --to-source %s"
127
% (FLAGS.fixed_range, FLAGS.routing_source_ip), append=True)
131
_confirm_rule("SNATTING", '-t', 'nat', '-s', FLAGS.fixed_range,
132
'-j', 'SNAT', '--to-source', FLAGS.routing_source_ip,
129
_confirm_rule("POSTROUTING", "-t nat -s %s -d %s -j ACCEPT" %
130
(FLAGS.fixed_range, FLAGS.dmz_cidr))
131
_confirm_rule("POSTROUTING", "-t nat -s %(range)s -d %(range)s -j ACCEPT" %
132
{'range': FLAGS.fixed_range})
135
_confirm_rule("POSTROUTING", '-t', 'nat', '-s', FLAGS.fixed_range,
136
'-d', FLAGS.dmz_cidr, '-j', 'ACCEPT')
137
_confirm_rule("POSTROUTING", '-t', 'nat', '-s', FLAGS.fixed_range,
138
'-d', FLAGS.fixed_range, '-j', 'ACCEPT')
135
141
def bind_floating_ip(floating_ip, check_exit_code=True):
136
142
"""Bind ip to public interface"""
137
_execute("sudo ip addr add %s dev %s" % (floating_ip,
138
FLAGS.public_interface),
143
_execute('sudo', 'ip', 'addr', 'add', floating_ip,
144
'dev', FLAGS.public_interface,
139
145
check_exit_code=check_exit_code)
142
148
def unbind_floating_ip(floating_ip):
143
149
"""Unbind a public ip from public interface"""
144
_execute("sudo ip addr del %s dev %s" % (floating_ip,
145
FLAGS.public_interface))
150
_execute('sudo', 'ip', 'addr', 'del', floating_ip,
151
'dev', FLAGS.public_interface)
148
154
def ensure_vlan_forward(public_ip, port, private_ip):
149
155
"""Sets up forwarding rules for vlan"""
150
_confirm_rule("FORWARD", "-d %s -p udp --dport 1194 -j ACCEPT" %
152
_confirm_rule("PREROUTING",
153
"-t nat -d %s -p udp --dport %s -j DNAT --to %s:1194"
154
% (public_ip, port, private_ip))
156
_confirm_rule("FORWARD", '-d', private_ip, '-p', 'udp',
157
'--dport', '1194', '-j', 'ACCEPT')
158
_confirm_rule("PREROUTING", '-t', 'nat', '-d', public_ip, '-p', 'udp',
159
'--dport', port, '-j', 'DNAT', '--to', '%s:1194'
157
163
def ensure_floating_forward(floating_ip, fixed_ip):
158
164
"""Ensure floating ip forwarding rule"""
159
_confirm_rule("PREROUTING", "-t nat -d %s -j DNAT --to %s"
160
% (floating_ip, fixed_ip))
161
_confirm_rule("OUTPUT", "-t nat -d %s -j DNAT --to %s"
162
% (floating_ip, fixed_ip))
163
_confirm_rule("SNATTING", "-t nat -s %s -j SNAT --to %s"
164
% (fixed_ip, floating_ip))
165
_confirm_rule("PREROUTING", '-t', 'nat', '-d', floating_ip, '-j', 'DNAT',
167
_confirm_rule("OUTPUT", '-t', 'nat', '-d', floating_ip, '-j', 'DNAT',
169
_confirm_rule("SNATTING", '-t', 'nat', '-s', fixed_ip, '-j', 'SNAT',
167
173
def remove_floating_forward(floating_ip, fixed_ip):
168
174
"""Remove forwarding for floating ip"""
169
_remove_rule("PREROUTING", "-t nat -d %s -j DNAT --to %s"
170
% (floating_ip, fixed_ip))
171
_remove_rule("OUTPUT", "-t nat -d %s -j DNAT --to %s"
172
% (floating_ip, fixed_ip))
173
_remove_rule("SNATTING", "-t nat -s %s -j SNAT --to %s"
174
% (fixed_ip, floating_ip))
175
_remove_rule("PREROUTING", '-t', 'nat', '-d', floating_ip, '-j', 'DNAT',
177
_remove_rule("OUTPUT", '-t', 'nat', '-d', floating_ip, '-j', 'DNAT',
179
_remove_rule("SNATTING", '-t', 'nat', '-s', fixed_ip, '-j', 'SNAT',
177
183
def ensure_vlan_bridge(vlan_num, bridge, net_attrs=None):
207
213
if not _device_exists(bridge):
208
214
LOG.debug(_("Starting Bridge interface for %s"), interface)
209
_execute("sudo brctl addbr %s" % bridge)
210
_execute("sudo brctl setfd %s 0" % bridge)
215
_execute('sudo', 'brctl', 'addbr', bridge)
216
_execute('sudo', 'brctl', 'setfd', bridge, 0)
211
217
# _execute("sudo brctl setageing %s 10" % bridge)
212
_execute("sudo brctl stp %s off" % bridge)
213
_execute("sudo ip link set %s up" % bridge)
218
_execute('sudo', 'brctl', 'stp', bridge, 'off')
219
_execute('sudo', 'ip', 'link', 'set', bridge, up)
215
221
# NOTE(vish): The ip for dnsmasq has to be the first address on the
216
222
# bridge for it to respond to reqests properly
217
223
suffix = net_attrs['cidr'].rpartition('/')[2]
218
out, err = _execute("sudo ip addr add %s/%s brd %s dev %s" %
219
(net_attrs['gateway'],
221
net_attrs['broadcast'],
224
out, err = _execute('sudo', 'ip', 'addr', 'add',
226
(net_attrs['gateway'], suffix),
228
net_attrs['broadcast'],
223
231
check_exit_code=False)
224
232
if err and err != "RTNETLINK answers: File exists\n":
225
233
raise exception.Error("Failed to add ip: %s" % err)
226
234
if(FLAGS.use_ipv6):
227
_execute("sudo ip -f inet6 addr change %s dev %s" %
228
(net_attrs['cidr_v6'], bridge))
235
_execute('sudo', 'ip', '-f', 'inet6', 'addr',
236
'change', net_attrs['cidr_v6'],
229
238
# NOTE(vish): If the public interface is the same as the
230
239
# bridge, then the bridge has to be in promiscuous
231
240
# to forward packets properly.
232
241
if(FLAGS.public_interface == bridge):
233
_execute("sudo ip link set dev %s promisc on" % bridge)
242
_execute('sudo', 'ip', 'link', 'set',
243
'dev', bridge, 'promisc', 'on')
235
245
# NOTE(vish): This will break if there is already an ip on the
236
246
# interface, so we move any ips to the bridge
238
out, err = _execute("sudo route -n")
248
out, err = _execute('sudo', 'route', '-n')
239
249
for line in out.split("\n"):
240
250
fields = line.split()
241
251
if fields and fields[0] == "0.0.0.0" and fields[-1] == interface:
242
252
gateway = fields[1]
243
out, err = _execute("sudo ip addr show dev %s scope global" %
253
out, err = _execute('sudo', 'ip', 'addr', 'show', 'dev', interface,
245
255
for line in out.split("\n"):
246
256
fields = line.split()
247
257
if fields and fields[0] == "inet":
248
258
params = ' '.join(fields[1:-1])
249
_execute("sudo ip addr del %s dev %s" % (params, fields[-1]))
250
_execute("sudo ip addr add %s dev %s" % (params, bridge))
259
_execute('sudo', 'ip', 'addr',
260
'del', params, 'dev', fields[-1])
261
_execute('sudo', 'ip', 'addr',
262
'add', params, 'dev', bridge)
252
_execute("sudo route add 0.0.0.0 gw %s" % gateway)
253
out, err = _execute("sudo brctl addif %s %s" %
264
_execute('sudo', 'route', 'add', '0.0.0.0', 'gw', gateway)
265
out, err = _execute('sudo', 'brctl', 'addif', bridge, interface,
255
266
check_exit_code=False)
257
268
if (err and err != "device %s is already a member of a bridge; can't "