routed.rst: fixed path and ip rule #3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Provide all software components needed by synnefo and ganeti to support networking inside the cluster. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Include nfdhcpd and tools handling vlans Include basic scripts for configuring networks in nodes Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Networks without gateway are needed for private networks among VMs. To this end routing table will only have one enrty for subnet. Default via gateway is optional. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Asume standard interfaces per nodegroup. First define a network. Then define a nodegroup. Then define connection. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Put all info inside binding files Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
New hook for node-add that configures the interfaces in the new node depending on nodegroup configuration. After adding a nodegroup snf-network-add-group should be invoked. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Mac prefixes are used for private networks. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Useful script after node reboot. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Search the interface of incomming request and find binding info (IPv6 subnet) via traversing all clients configuration and matching cl.ifname (tap0) with the interface above. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
When connecting a network in routed mode pass the routing table and not the vlan as link. The link will be choosen depending the network type and the cluster/node infrastructure. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
DHCPv6 should work fine. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Supply all the neccessary fields for dhcp in binding file (created by kvm-vid-bridge). Reference every dhcp client via the mac or eui64 of the incomming packet on the nfqueue. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Allow binding files in form of GATEWAY6= in case not defined. Modify kvm-vif-bridge that clears the pending rules before handling the tap. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Add a ganeti post hook when a tap gets removed
instance-{migrate, failover, remove, stop}-post.d
Check if the first NIC that usually is the public interface
that gets routed and does proxy ntp in ipv6 has any orphan
rule and remove it.
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Modify hook to support grnet specific ip-less routing and proxy ndp for ipv6. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
uplink should be public vlan not gateway6 Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
No NFS storage needed. All info passed in hooks env is produced by ganeti. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
No mac filtering, no ebtables, no hooks No private network (bridge with ebtables) just private range (one bridge per vlan) Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
This ferm defines 3 extra chains in filter table (for both ipv4 and ipv6): protected, limited, unprotected. The first drops incoming new connections, allows dns replies and pings. The seconds allows ssh, and rdp ports. The third just accepts the packet. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
- ifup-extra - firewall - nfdhcpd Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Use addresses reserved for documentation in interfaces example file.
Mention two setups:
* routed setup
- external router
- nodes without IP inside routed network
- proxy ARP
* bridged setup
- extra common interfaces on all nodes
- one common bridge on separate interface
- node with internet access is the gateway and does NAT
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
..and add interfaces, vmrouter ifup and ifdown scripts, and prv-net-helper. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Remove further info and implementation details of ip-less-routed and private-filtered setups from main page. Introduce routed and ebtables page to include all this info. Add /etc/network/interfaces examples for ip-less-routed configuration. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
..and use upper case for all acronyms (NIC, TAP, DNS, SSH, RDP). Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Depending on each rule reason we add a relevant comment prefixed with "snf-network_". Currently we have three reasons: firewall, proxy-arp, extra. Additionally save all rules under /etc/iptables/ at the end of ifup-extra script. This can be used to restore some rules after reloading ferm. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Use $oldchain instead of $chain. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Ganeti exports node names with their FQDN. Use hostname -f to compare the exported variables and decide whether to execute the hook or not. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
..and don't count on tags, etc. This should work on a best effort basis. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
..to delete neighbor proxy only: 1) in old primary node during instance migrate/failover 2) in primary node during instance shutdown/remove Please note that this is done also by kvm-ifdown-custom. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
For each interface create a file named e.g., tap1 under /var/lib/snf-network/. This file will include all important variables related to the interface (INSTANCE, IP, EUI64, etc.) and then all iptables, arptables and ebtables commands that snf-network has invoked while configuring it. This can be helpful for admins while reloading ferm rules or for debugging purposes. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
This was forgotten when log helper function was introduced. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
The save() function is used in order to save and backup iptables/arptables/ebtables commands related to each interface. The log() function is a wrapper of snf-network-log script. Do not use a default variable for the log script. This could cause a fork bomb if the admin forgot to define it. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
In routed setup do not allow packets coming from a TAP to have different source IP that the one that they suppose to have. This reduces chances for udp attacks originating inside the datacenter. Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
When openvswitch is used instead of kernel bridges on bridged mode with mac-filterd flavor, openflow static flows need to be created in order to provide mac-isolation
Now packets are not sent out of the port the came in. Also can work for vms that are on more than one ovs
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixed incorrect path in the command that enables proxy arp on tap interface.
Fixed ip rule missing an "add" keyword