Commit a4288eb9 authored by Dimitris Aragiorgis's avatar Dimitris Aragiorgis

Support firewall for bridged setups

Just like routed setups we parse instance's tags and search
for a specific suffix (chain). If found we add an ebtables
rule so that outgoing traffic to tap will go through this
chain.

Note that those chains should be created by admin first.
Signed-off-by: default avatarDimitris Aragiorgis <dimara@grnet.gr>
parent d5dcabbb
......@@ -75,6 +75,15 @@ function clear_routed_setup_firewall {
}
function clear_bridged_setup_firewall {
for oldchain in protected unprotected limited; do
iptables -D FORWARD -m physdev --physdev-out $INTERFACE -j $chain
ip6tables -D FORWARD -m physdev --physdev-out $INTERFACE -j $chain
done
}
function clear_ebtables {
runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -i $INTERFACE -j $FROM
......@@ -179,6 +188,34 @@ function routed_setup_firewall {
fi
}
# pick a firewall profile per NIC, based on tags (and apply it)
function bridged_setup_firewall {
# for latest ganeti there is no need to check other but uuid
ifprefixindex="synnefo:network:$INTERFACE_INDEX:"
ifprefixname="synnefo:network:$INTERFACE_NAME:"
ifprefixuuid="synnefo:network:$INTERFACE_UUID:"
for tag in $TAGS; do
tag=${tag#$ifprefixindex}
tag=${tag#$ifprefixname}
tag=${tag#$ifprefixuuid}
case $tag in
protected)
chain=protected
;;
unprotected)
chain=unprotected
;;
limited)
chain=limited
;;
esac
done
if [ "x$chain" != "x" ]; then
iptables -I FORWARD -m physdev --physdev-out $INTERFACE -j $chain
ip6tables -I FORWARD -m physdev --physdev-out $INTERFACE -j $chain
fi
}
function init_ebtables {
runlocked $RUNLOCKED_OPTS ebtables -N $FROM -P RETURN
......
......@@ -46,6 +46,7 @@ if [ "$MODE" = "routed" ]; then
:;
elif [ "$MODE" = "bridged" ]; then
brctl delif $BRIDGE $INTERFACE
try clear_bridged_setup_firewall
fi
......
......@@ -45,6 +45,7 @@ get_info
try clear_routed_setup_ipv4
try clear_routed_setup_ipv6
try clear_routed_setup_firewall
try clear_bridged_setup_firewall
try clear_ebtables
try clear_nfdhcpd
......@@ -53,6 +54,7 @@ if [ "$MODE" = "routed" ]; then
elif [ "$MODE" = "bridged" ]; then
ip link set $INTERFACE up
brctl addif $BRIDGE $INTERFACE
try bridged_setup_firewall
fi
for tag in $NETWORK_TAGS; do
......
......@@ -56,6 +56,7 @@ get_info
try clear_routed_setup_ipv4
try clear_routed_setup_ipv6
try clear_routed_setup_firewall
try clear_bridged_setup_firewall
try clear_ebtables
try clear_nfdhcpd
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment