Commit 8c9626b0 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

Backup iptables, arptables, ebtables commands

For each interface create a file named e.g., tap1 under
/var/lib/snf-network/. This file will include all important
variables related to the interface (INSTANCE, IP, EUI64, etc.) and
then all iptables, arptables and ebtables commands that snf-network
has invoked while configuring it. This can be helpful for admins
while reloading ferm rules or for debugging purposes.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent 7e854865
......@@ -41,6 +41,33 @@ function try {
}
function clear_log {
rm -f /var/lib/snf-network/$INTERFACE
}
function init_log {
cat > /var/lib/snf-network/$INTERFACE <<EOF
INSTANCE=$INSTANCE
IP=$IP
EUI64=$EUI64
LINK=$LINK
NETWORK_NAME=$NETWORK_NAME
INTERFACE_NAME=$INTERFACE_NAME
NETWORK_TAGS="$NETWORK_TAGS"
TAGS="$TAGS"
EOF
}
function log {
echo $@ >> /var/lib/snf-network/$INTERFACE
}
function clear_routed_setup_ipv4 {
arptables -D OUTPUT -o $INTERFACE --opcode request -j mangle
......@@ -117,7 +144,7 @@ function routed_setup_ipv4 {
fi
# mangle ARPs to come from the gw's IP
arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY" -m comment --comment "snf-network_proxy-arp"
log arptables -A OUTPUT -o $INTERFACE --opcode request -j mangle --mangle-ip-s "$NETWORK_GATEWAY" -m comment --comment "snf-network_proxy-arp"
# route interface to the proper routing table
ip rule add dev $INTERFACE table $TABLE
......@@ -189,8 +216,8 @@ function routed_setup_firewall {
done
if [ "x$chain" != "x" ]; then
iptables -A FORWARD -o $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
ip6tables -A FORWARD -o $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
log iptables -A FORWARD -o $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
log ip6tables -A FORWARD -o $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
fi
}
......@@ -218,21 +245,21 @@ function bridged_setup_firewall {
done
if [ "x$chain" != "x" ]; then
iptables -I FORWARD -m physdev --physdev-out $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
ip6tables -I FORWARD -m physdev --physdev-out $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
log iptables -I FORWARD -m physdev --physdev-out $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
log ip6tables -I FORWARD -m physdev --physdev-out $INTERFACE -j $chain -m comment --comment "snf-network_firewall"
fi
}
function init_ebtables {
runlocked $RUNLOCKED_OPTS ebtables -N $FROM -P RETURN
runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
log runlocked $RUNLOCKED_OPTS ebtables -N $FROM -P RETURN
log runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
# This is needed for multicast packets
runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
log runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
runlocked $RUNLOCKED_OPTS ebtables -N $TO -P RETURN
runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
log runlocked $RUNLOCKED_OPTS ebtables -N $TO -P RETURN
log runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
# This is needed for multicast packets
runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
log runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
}
......@@ -243,14 +270,14 @@ function setup_ebtables {
if [ -n "$IP" ]; then
:; # runlocked $RUNLOCKED_OPTS ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
fi
runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP
log runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP
# accept dhcp responses from host (nfdhcpd)
# this is actually not needed because nfdhcpd opens a socket and binds is with
# tap interface so dhcp response does not go through bridge
# INDEV_MAC=$(cat /sys/class/net/$INDEV/address)
# runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $INDEV_MAC -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
# allow only packets from the same mac prefix
runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
log runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
}
function setup_masq {
......
......@@ -48,5 +48,6 @@ try clear_routed_setup_firewall
try delete_neighbor_proxy
try clear_nfdhcpd
try clear_ebtables
try clear_log
exit 0
......@@ -48,6 +48,9 @@ try clear_routed_setup_firewall
try clear_bridged_setup_firewall
try clear_ebtables
try clear_nfdhcpd
try clear_log
init_log
if [ "$MODE" = "routed" ]; then
ip link set $INTERFACE addr $TAP_CONSTANT_MAC up
......
......@@ -59,6 +59,9 @@ try clear_routed_setup_firewall
try clear_bridged_setup_firewall
try clear_ebtables
try clear_nfdhcpd
try clear_log
init_log
if [ "$MODE" = "routed" ]; then
ip link set $INTERFACE up
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment