GitLab

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Mention AUTHENTICATION_METHOD setting in docs and update
configure section with all missing settings included in
/etc/default/snf-network.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

The valid authentication methods are:

 - plain (nsupdate)
 - bind9 (nsupdate -k)
 - kerberos (nsupdate -g)

The plain method assumes that the server allows updates without
authentication (e.g. allow-update { 192.0.2.1;};). The bind9 method
uses the -k option and requires a keyfile. The kerberos method uses
the -g option and requires a principal and a keytab. For backwards
compatibility if AUTHENTICATION_METHOD setting is missing in
defaults file we use bind9.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Mention correctly when it runs and be more informative wrt
nsupdate authentication methods supported (TSIG for bind9
and GSS-TSIG for AD).
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Let it run only after certain opcodes (instance-add, instance-modify,
instance-remove, instance-rename).
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..that explains how to configure snf-network in order to use
it for dynamic DNS update against an AD controller.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Up until now snf-network used nsupdate with a keyfile to
dynamically update DNS entries on an external nameserver
(bind9). This patch adds support for authenticating against an
AD controller using Kerberos.

Specifically we use "k5start -H" to ensure there is a happy ticket,
otherwise use a keytab containing the password to obtain a ticket
automatically. Finally, we use nsupdate in GSS-TSIG mode (with -g option
and with KRB5CCNAME environment variable pointing to the ticket
obtained previously by k5start) to update AD-integrated DNS server.

The keytab file can be added with:

 # ktutil -v add -V 1 -e aes256-cts -p PRINCIPAL
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

In routed setup do not allow packets coming from a
TAP to have different source IP that the one that they
suppose to have.

This reduces chances for udp attacks originating
inside the datacenter.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

The save() function is used in order to save and backup
iptables/arptables/ebtables commands related to each interface.

The log() function is a wrapper of snf-network-log script.

Do not use a default variable for the log script. This could
cause a fork bomb if the admin forgot to define it.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

This was forgotten when log helper function was introduced.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

For each interface create a file named e.g., tap1 under
/var/lib/snf-network/. This file will include all important
variables related to the interface (INSTANCE, IP, EUI64, etc.) and
then all iptables, arptables and ebtables commands that snf-network
has invoked while configuring it. This can be helpful for admins
while reloading ferm rules or for debugging purposes.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..to delete neighbor proxy only:

1) in old primary node during instance migrate/failover
2) in primary node during instance shutdown/remove

Please note that this is done also by kvm-ifdown-custom.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..and don't count on tags, etc. This should work on a best effort
basis.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Ganeti exports node names with their FQDN. Use hostname -f
to compare the exported variables and decide whether to execute
the hook or not.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Use $oldchain instead of $chain.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Depending on each rule reason we add a relevant comment prefixed
with "snf-network_".

Currently we have three reasons: firewall, proxy-arp, extra.

Additionally save all rules under /etc/iptables/ at the end of
ifup-extra script. This can be used to restore some rules after
reloading ferm.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..and use upper case for all acronyms (NIC, TAP, DNS, SSH, RDP).
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Remove further info and implementation details of ip-less-routed
and private-filtered setups from main page. Introduce routed and
ebtables page to include all this info.

Add /etc/network/interfaces examples for ip-less-routed
configuration.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

..and add interfaces, vmrouter ifup and ifdown scripts, and
prv-net-helper.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Use addresses reserved for documentation in interfaces example file.

Mention two setups:

 * routed setup
    - external router
    - nodes without IP inside routed network
    - proxy ARP

 * bridged setup
    - extra common interfaces on all nodes
    - one common bridge on separate interface
    - node with internet access is the gateway and does NAT
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

- ifup-extra
- firewall
- nfdhcpd
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

This ferm defines 3 extra chains in filter table (for both
ipv4 and ipv6): protected, limited, unprotected.

The first drops incoming new connections, allows dns replies and pings.
The seconds allows ssh, and rdp ports.
The third just accepts the packet.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Just like routed setups we parse instance's tags and search
for a specific suffix (chain). If found we add an ebtables
rule so that outgoing traffic to tap will go through this
chain.

Note that those chains should be created by admin first.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

Note that currently this is executed only during
OP_INSTANCE_SET_PARAMS.

Before using it we should query_dns().
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

GANETI_INSTANCE_NAME is available only in hooks. Library uses
INSTANCE so we should set it as soon as possible.

Hooks are not aware of INTERFACE. Thus get_info() will find
INDEV and ebtables chains only during NIC configuration scripts.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>