apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

network: fix event, acl, firewall for ipv6 nw (#6314)

Browse Source 
* add guest ipv6 cidr for fw rule

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* fix fw, acl nft chains

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* remove unnecessary log

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* api response should return default internet protocol

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* event resource fix for ipv6 firewall rule events

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* fix radvd, restore ipv6 intf in vm type script

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>

* fix dadfailed with rvr

Signed-off-by: Abhishek Kumar <abhishek.kumar@shapeblue.com>
This commit is contained in:
Abhishek Kumar 2022-04-27 08:00:44 +05:30 committed by GitHub
parent 4cc830d04a
commit e53ed9e350
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 200 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/CreateIpv6FirewallRuleCmd.java
View File

@ -21,6 +21,7 @@ import java.util.List;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandResourceType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCreateCmd;
@ -252,4 +253,14 @@ public class CreateIpv6FirewallRuleCmd extends BaseAsyncCreateCmd {
}
}
}
@Override
public Long getApiResourceId() {
return getNetworkId();
}
@Override
public ApiCommandResourceType getApiResourceType() {
return ApiCommandResourceType.Network;
}
}

14
api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/DeleteIpv6FirewallRuleCmd.java
View File

@ -17,6 +17,7 @@
package org.apache.cloudstack.api.command.user.ipv6;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandResourceType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.ApiErrorCode;
import org.apache.cloudstack.api.BaseAsyncCmd;
@ -94,4 +95,17 @@ public class DeleteIpv6FirewallRuleCmd extends BaseAsyncCmd {
}
}
@Override
public Long getApiResourceId() {
FirewallRule rule = _firewallService.getFirewallRule(id);
if (rule != null) {
return rule.getNetworkId();
}
return null;
}
@Override
public ApiCommandResourceType getApiResourceType() {
return ApiCommandResourceType.Network;
}
}

14
api/src/main/java/org/apache/cloudstack/api/command/user/ipv6/UpdateIpv6FirewallRuleCmd.java
View File

@ -20,6 +20,7 @@ import java.util.List;
import org.apache.cloudstack.acl.RoleType;
import org.apache.cloudstack.api.APICommand;
import org.apache.cloudstack.api.ApiCommandResourceType;
import org.apache.cloudstack.api.ApiConstants;
import org.apache.cloudstack.api.BaseAsyncCustomIdCmd;
import org.apache.cloudstack.api.Parameter;
@ -172,4 +173,17 @@ public class UpdateIpv6FirewallRuleCmd extends BaseAsyncCustomIdCmd {
}
}
@Override
public Long getApiResourceId() {
FirewallRule rule = _firewallService.getFirewallRule(id);
if (rule != null) {
return rule.getNetworkId();
}
return null;
}
@Override
public ApiCommandResourceType getApiResourceType() {
return ApiCommandResourceType.Network;
}
}

8
core/src/main/java/com/cloud/agent/api/routing/SetIpv6FirewallRulesCommand.java
View File

@ -30,18 +30,24 @@ import com.cloud.agent.api.to.FirewallRuleTO;
*/
public class SetIpv6FirewallRulesCommand extends NetworkElementCommand {
FirewallRuleTO[] rules;
String guestIp6Cidr;
protected SetIpv6FirewallRulesCommand() {
}
public SetIpv6FirewallRulesCommand(List<FirewallRuleTO> rules) {
public SetIpv6FirewallRulesCommand(List<FirewallRuleTO> rules, String guestIp6Cidr) {
this.rules = rules.toArray(new FirewallRuleTO[rules.size()]);
this.guestIp6Cidr = guestIp6Cidr;
}
public FirewallRuleTO[] getRules() {
return rules;
}
public String getGuestIp6Cidr() {
return guestIp6Cidr;
}
@Override
public int getAnswersCount() {
return rules.length;

1
core/src/main/java/com/cloud/agent/resource/virtualnetwork/facade/SetIpv6FirewallRulesConfigItem.java
View File

@ -42,6 +42,7 @@ public class SetIpv6FirewallRulesConfigItem extends AbstractConfigItemFacade{
final FirewallRule fwRule = new FirewallRule(rule.getId(), rule.getSrcVlanTag(), rule.getSrcIp(), rule.getProtocol(), rule.getSrcPortRange(), rule.revoked(),
rule.isAlreadyAdded(), rule.getSourceCidrList(), rule.getDestCidrList(), rule.getPurpose().toString(), rule.getIcmpType(), rule.getIcmpCode(), rule.getTrafficType().toString(),
rule.getGuestCidr(), rule.isDefaultEgressPolicy());
fwRule.setGuestIp6Cidr(command.getGuestIp6Cidr());
rules.add(fwRule);
}

8
core/src/main/java/com/cloud/agent/resource/virtualnetwork/model/FirewallRule.java
View File

@ -38,6 +38,7 @@ public class FirewallRule {
private String guestCidr;
private boolean defaultEgressPolicy;
private String type;
private String guestIp6Cidr;
public FirewallRule() {
// Empty constructor for (de)serialization
@ -174,4 +175,11 @@ public class FirewallRule {
this.defaultEgressPolicy = defaultEgressPolicy;
}
public String getGuestIp6Cidr() {
return guestIp6Cidr;
}
public void setGuestIp6Cidr(String guestIp6Cidr) {
this.guestIp6Cidr = guestIp6Cidr;
}
}

2
engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDao.java
View File

@ -73,5 +73,7 @@ public interface NetworkOfferingDao extends GenericDao<NetworkOfferingVO, Long>
NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId);
NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId, NetUtils.InternetProtocol defaultProtocol);
boolean isIpv6Supported(long offeringId);
}

9
engine/schema/src/main/java/com/cloud/offerings/dao/NetworkOfferingDaoImpl.java
View File

@ -278,6 +278,15 @@ public class NetworkOfferingDaoImpl extends GenericDaoBase<NetworkOfferingVO, Lo
return NetUtils.InternetProtocol.fromValue(internetProtocolStr);
}
@Override
public NetUtils.InternetProtocol getNetworkOfferingInternetProtocol(long offeringId,NetUtils.InternetProtocol defaultProtocol) {
NetUtils.InternetProtocol protocol = getNetworkOfferingInternetProtocol(offeringId);
if (protocol == null) {
return defaultProtocol;
}
return protocol;
}
@Override
public boolean isIpv6Supported(long offeringId) {
NetUtils.InternetProtocol internetProtocol = getNetworkOfferingInternetProtocol(offeringId);

2
server/src/main/java/com/cloud/api/ApiResponseHelper.java
View File

@ -2533,7 +2533,7 @@ public class ApiResponseHelper implements ResponseGenerator {
response.setBytesSent(bytesSent);
if (networkOfferingDao.isIpv6Supported(network.getNetworkOfferingId())) {
response.setInternetProtocol(networkOfferingDao.getNetworkOfferingInternetProtocol(network.getNetworkOfferingId()).toString());
response.setInternetProtocol(networkOfferingDao.getNetworkOfferingInternetProtocol(network.getNetworkOfferingId(), NetUtils.InternetProtocol.IPv4).toString());
response.setIpv6Routing(Network.Routing.Static.toString());
response.setIpv6Routes(new LinkedHashSet<>());
if (Network.GuestType.Isolated.equals(networkOffering.getGuestType())) {

8
server/src/main/java/com/cloud/api/query/dao/NetworkOfferingJoinDaoImpl.java
View File

@ -19,6 +19,7 @@ package com.cloud.api.query.dao;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.apache.cloudstack.api.response.NetworkOfferingResponse;
import org.apache.log4j.Logger;
@ -27,6 +28,7 @@ import com.cloud.offering.NetworkOffering;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.net.NetUtils;
public class NetworkOfferingJoinDaoImpl extends GenericDaoBase<NetworkOfferingJoinVO, Long> implements NetworkOfferingJoinDao {
public static final Logger s_logger = Logger.getLogger(NetworkOfferingJoinDaoImpl.class);
@ -99,7 +101,11 @@ public class NetworkOfferingJoinDaoImpl extends GenericDaoBase<NetworkOfferingJo
networkOfferingResponse.setDomain(networkOfferingJoinVO.getDomainPath());
networkOfferingResponse.setZoneId(networkOfferingJoinVO.getZoneUuid());
networkOfferingResponse.setZone(networkOfferingJoinVO.getZoneName());
networkOfferingResponse.setInternetProtocol(networkOfferingJoinVO.getInternetProtocol());
String protocol = networkOfferingJoinVO.getInternetProtocol();
if (StringUtils.isEmpty(protocol)) {
protocol = NetUtils.InternetProtocol.IPv4.toString();
}
networkOfferingResponse.setInternetProtocol(protocol);
}
networkOfferingResponse.setObjectName("networkoffering");

8
server/src/main/java/com/cloud/api/query/dao/VpcOfferingJoinDaoImpl.java
View File

@ -20,6 +20,7 @@ package com.cloud.api.query.dao;
import java.util.List;
import org.apache.cloudstack.api.response.VpcOfferingResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.log4j.Logger;
import com.cloud.api.query.vo.VpcOfferingJoinVO;
@ -27,6 +28,7 @@ import com.cloud.network.vpc.VpcOffering;
import com.cloud.utils.db.GenericDaoBase;
import com.cloud.utils.db.SearchBuilder;
import com.cloud.utils.db.SearchCriteria;
import com.cloud.utils.net.NetUtils;
public class VpcOfferingJoinDaoImpl extends GenericDaoBase<VpcOfferingJoinVO, Long> implements VpcOfferingJoinDao {
public static final Logger s_logger = Logger.getLogger(VpcOfferingJoinDaoImpl.class);
@ -70,7 +72,11 @@ public class VpcOfferingJoinDaoImpl extends GenericDaoBase<VpcOfferingJoinVO, Lo
offeringResponse.setDomain(offeringJoinVO.getDomainPath());
offeringResponse.setZoneId(offeringJoinVO.getZoneUuid());
offeringResponse.setZone(offeringJoinVO.getZoneName());
offeringResponse.setInternetProtocol(offeringJoinVO.getInternetProtocol());
String protocol = offeringJoinVO.getInternetProtocol();
if (StringUtils.isEmpty(protocol)) {
protocol = NetUtils.InternetProtocol.IPv4.toString();
}
offeringResponse.setInternetProtocol(protocol);
}
offeringResponse.setObjectName("vpcoffering");

18
server/src/main/java/com/cloud/network/router/CommandSetupHelper.java
View File

@ -461,7 +461,9 @@ public class CommandSetupHelper {
public void createApplyIpv6FirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
final List<FirewallRuleTO> rulesTO = new ArrayList<>();
String systemRule = null;
Boolean defaultEgressPolicy = false;
final NetworkVO network = _networkDao.findById(guestNetworkId);
final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
Boolean defaultEgressPolicy = offering.isEgressDefaultPolicy();;
if (rules != null) {
if (rules.size() > 0) {
if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
@ -476,16 +478,13 @@ public class CommandSetupHelper {
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, null, Purpose.Ipv6Firewall, trafficType);
rulesTO.add(ruleTO);
} else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
final NetworkVO network = _networkDao.findById(guestNetworkId);
final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
defaultEgressPolicy = offering.isEgressDefaultPolicy();
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Ipv6Firewall, trafficType, defaultEgressPolicy);
rulesTO.add(ruleTO);
}
}
}
final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO);
final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO, network.getIp6Cidr());
cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());
@ -547,7 +546,9 @@ public class CommandSetupHelper {
public void createIpv6FirewallRulesCommands(final List<? extends FirewallRule> rules, final VirtualRouter router, final Commands cmds, final long guestNetworkId) {
final List<FirewallRuleTO> rulesTO = new ArrayList<>();
String systemRule = null;
Boolean defaultEgressPolicy = false;
final NetworkVO network = _networkDao.findById(guestNetworkId);
final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
Boolean defaultEgressPolicy = offering.isEgressDefaultPolicy();
if (rules != null) {
if (rules.size() > 0) {
if (rules.get(0).getTrafficType() == FirewallRule.TrafficType.Egress && rules.get(0).getType() == FirewallRule.FirewallRuleType.System) {
@ -562,16 +563,13 @@ public class CommandSetupHelper {
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, null, Purpose.Ipv6Firewall, traffictype);
rulesTO.add(ruleTO);
} else if (rule.getTrafficType() == FirewallRule.TrafficType.Egress) {
final NetworkVO network = _networkDao.findById(guestNetworkId);
final NetworkOfferingVO offering = _networkOfferingDao.findById(network.getNetworkOfferingId());
defaultEgressPolicy = offering.isEgressDefaultPolicy();
final FirewallRuleTO ruleTO = new FirewallRuleTO(rule, null, "", Purpose.Ipv6Firewall, traffictype, defaultEgressPolicy);
rulesTO.add(ruleTO);
}
}
}
final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO);
final SetIpv6FirewallRulesCommand cmd = new SetIpv6FirewallRulesCommand(rulesTO, network.getIp6Cidr());
cmd.setAccessDetail(NetworkElementCommand.ROUTER_IP, _routerControlHelper.getRouterControlIp(router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_GUEST_IP, _routerControlHelper.getRouterIpInNetwork(guestNetworkId, router.getId()));
cmd.setAccessDetail(NetworkElementCommand.ROUTER_NAME, router.getInstanceName());

46
systemvm/debian/opt/cloud/bin/configure.py
View File

@ -296,17 +296,13 @@ class CsAcl(CsDataBag):
return
tier_cidr = self.ip6_cidr
chain = "%s_%s_policy" % (self.device, direction)
rule = "accept"
parent_chain = "acl_output"
parent_chain = "acl_forward"
cidr_key = "saddr"
parent_chain_rule = "ip6 saddr ::/0 jump %s" % (chain)
if direction == "ingress":
rule = "drop"
parent_chain = "acl_input"
cidr_key = "daddr"
parent_chain_rule = "ip6 %s %s jump %s" % (cidr_key, tier_cidr, chain)
self.ipv6_acl.append({'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
self.ipv6_acl.insert(0, {'type': "chain", 'chain': chain, 'rule': rule})
self.ipv6_acl.insert(0, {'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
self.ipv6_acl.insert(0, {'type': "chain", 'chain': chain})
for rule in rule_list:
cidr = rule['cidr']
if cidr != None and cidr != "":
@ -369,6 +365,8 @@ class CsAcl(CsDataBag):
self.ipv6_acl.insert(0, {'type': type, 'chain': chain, 'rule': rstr})
else:
self.ipv6_acl.append({'type': type, 'chain': chain, 'rule': rstr})
rstr = "counter packets 0 bytes 0 drop"
self.ipv6_acl.append({'type': "", 'chain': chain, 'rule': rstr})
def process(self, direction, rule_list, base):
count = base
@ -480,10 +478,30 @@ class CsIpv6Firewall(CsDataBag):
def process(self):
fw = self.config.get_ipv6_fw()
logging.info("Processing IPv6 firewall rules %s; %s" % (self.dbag, fw))
chains_added = False
egress_policy = None
for item in self.dbag:
if item == "id":
continue
rule = self.dbag[item]
if chains_added == False:
guest_cidr = rule['guest_ip6_cidr']
parent_chain = "fw_forward"
chain = "fw_chain_egress"
parent_chain_rule = "ip6 saddr %s jump %s" % (guest_cidr, chain)
fw.append({'type': "chain", 'chain': chain})
fw.append({'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
chain = "fw_chain_ingress"
parent_chain_rule = "ip6 daddr %s jump %s" % (guest_cidr, chain)
fw.append({'type': "chain", 'chain': chain})
fw.append({'type': "", 'chain': parent_chain, 'rule': parent_chain_rule})
if rule['default_egress_policy']:
egress_policy = "accept"
else:
egress_policy = "drop"
chains_added = True
rstr = ""
chain = "fw_chain_ingress"
@ -561,14 +579,14 @@ class CsIpv6Firewall(CsDataBag):
rstr = appendStringIfNotEmpty(rstr, proto)
if rstr and action:
rstr = rstr + " " + action
else:
type = "chain"
rstr = action
logging.debug("Process IPv6 firewall rule %s" % rstr)
if type == "chain":
fw.insert(0, {'type': type, 'chain': chain, 'rule': rstr})
else:
logging.debug("Process IPv6 firewall rule %s" % rstr)
fw.append({'type': type, 'chain': chain, 'rule': rstr})
if chains_added:
base_rstr = "counter packets 0 bytes 0"
rstr = "%s drop" % base_rstr
fw.append({'type': "", 'chain': "fw_chain_ingress", 'rule': rstr})
rstr = "%s %s" % (base_rstr, egress_policy)
fw.append({'type': "", 'chain': "fw_chain_egress", 'rule': rstr})
class CsVmMetadata(CsDataBag):

20
systemvm/debian/opt/cloud/bin/cs/CsNetfilter.py
View File

@ -229,23 +229,23 @@ class CsNetfilters(object):
if chain_policy and action:
chain_policy = "%s policy %s;" % (chain_policy, action)
CsHelper.execute("nft add chain %s %s %s '{ %s }'" % (address_family, table, chain, chain_policy))
if chain_policy:
if hook == "input" or hook == "output":
CsHelper.execute("nft add rule %s %s %s icmpv6 type { echo-request, echo-reply, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept" % (address_family, table, chain))
def apply_ip6_rules(self, rules, type):
logging.debug("Add IPv6 rules: %s", rules)
if len(rules) == 0:
return
address_family = 'ip6'
table = 'ip6_firewall'
default_chains = [
{ "chain": "fw_chain_ingress", "hook": "input", "action": "drop"}
{ "chain": "fw_input", "hook": "input", "action": "drop"},
{ "chain": "fw_forward", "hook": "forward", "action": "accept"}
]
if type == "acl":
table = 'ip6_acl'
default_chains = [
{ "chain": "acl_input", "hook": "input", "action": "drop" },
{ "chain": "acl_output", "hook": "output", "action": "accept" }
{ "chain": "acl_forward", "hook": "forward", "action": "accept"}
]
CsHelper.execute("nft add table %s %s" % (address_family, table))
for chain in default_chains:
@ -253,13 +253,15 @@ class CsNetfilters(object):
for fw in rules:
chain = fw['chain']
type = fw['type']
rule = fw['rule']
rule = None
if 'rule' in fw:
rule = fw['rule']
if type == "chain":
hook = "input"
if "egress" in chain:
hook = ""
if "output" in chain:
hook = "output"
if chain.startswith("eth"):
hook = ""
elif "input" in chain:
hook = "input"
self.add_ip6_chain(address_family, table, chain, hook, rule)
else:
logging.info("Add: rule=%s in address_family=%s table=%s, chain=%s", rule, address_family, table, chain)

9
systemvm/debian/opt/cloud/bin/setup/bootstrap.sh
View File

@ -85,15 +85,6 @@ config_sysctl() {
sed -i "/^vm.vfs_cache_pressure/ c\vm.vfs_cache_pressure = 100" /etc/sysctl.conf
fi
eth0_ip6=$(grep -Po 'eth0ip6=\K[0-9a-zA-Z:]*' $CMDLINE)
eth2_ip6=$(grep -Po 'eth2ip6=\K[0-9a-zA-Z:]*' $CMDLINE)
if [ -n "$eth0_ip6" ] || [ -n "$eth2_ip6" ]
then
sed -i "s/net.ipv6.conf.all.disable_ipv6 =.*$/net.ipv6.conf.all.disable_ipv6 = 0/" /etc/sysctl.conf
sed -i "s/net.ipv6.conf.all.forwarding =.*$/net.ipv6.conf.all.forwarding = 1/" /etc/sysctl.conf
sed -i "s/net.ipv6.conf.all.accept_ra =.*$/net.ipv6.conf.all.accept_ra = 1/" /etc/sysctl.conf
fi
sync
sysctl -p
}

88
systemvm/debian/opt/cloud/bin/setup/common.sh
View File

@ -110,23 +110,31 @@ setup_interface() {
fi
}
setup_interface_ipv6() {
enable_interface_ipv6() {
local intf=eth${1}
log_it "Enabling IPv6 on interface: ${intf}"
sysctl net.ipv6.conf.all.disable_ipv6=0
sysctl net.ipv6.conf.all.forwarding=1
sysctl net.ipv6.conf.all.accept_ra=1
sed -i "s/net.ipv6.conf.all.disable_ipv6 =.*$/net.ipv6.conf.all.disable_ipv6 = 0/" /etc/sysctl.conf
sed -i "s/net.ipv6.conf.all.forwarding =.*$/net.ipv6.conf.all.forwarding = 1/" /etc/sysctl.conf
sed -i "s/net.ipv6.conf.all.accept_ra =.*$/net.ipv6.conf.all.accept_ra = 1/" /etc/sysctl.conf
sysctl net.ipv6.conf.${intf}.accept_dad=0
sysctl net.ipv6.conf.${intf}.use_tempaddr=0
if [ "$2" = true ] ; then
ifdown ${intf}
ifup ${intf}
fi
}
setup_interface_ipv6() {
enable_interface_ipv6 $1 false
local intfnum=$1
local ipv6="$2"
local prelen="$3"
local intf=eth${intfnum}
sysctl net.ipv6.conf.$intf.accept_dad=0
sysctl net.ipv6.conf.$intf.use_tempaddr=0
echo "iface $intf inet6 static" >> /etc/network/interfaces
echo " address $ipv6 " >> /etc/network/interfaces
echo " netmask $prelen" >> /etc/network/interfaces
@ -266,31 +274,52 @@ enable_rpsrfs() {
echo 256 > /sys/class/net/eth2/queues/rx-0/rps_flow_cnt
}
setup_ipv6() {
local enableradvd=false
if [ -n "$ETH0_IP6" ]
then
enableradvd=true
setup_interface_ipv6 "0" $ETH0_IP6 $ETH0_IP6_PRELEN
fi
if [ -n "$ETH0_IP6" ] || [ -n "$GUEST_GW6" -a -n "$GUEST_CIDR6_SIZE" ]
then
rm -rf /etc/radvd.conf
setup_radvd "0" $GUEST_GW6 $GUEST_CIDR6_SIZE $enableradvd
fi
if [ -n "$ETH2_IP6" ]
then
setup_interface_ipv6 "2" $ETH2_IP6 $ETH2_IP6_PRELEN
fi
}
restore_ipv6() {
if [ -n "$ETH0_IP6" ] || [ -n "$GUEST_GW6" -a -n "$GUEST_CIDR6_SIZE" ]
then
enable_interface_ipv6 "0" true
fi
if [ -n "$ETH0_IP6" ]
then
enable_radvd
fi
if [ -n "$ETH2_IP6" ]
then
enable_interface_ipv6 "2" true
fi
}
setup_common() {
init_interfaces $1 $2 $3
if [ -n "$ETH0_IP" ]
then
setup_interface "0" $ETH0_IP $ETH0_MASK $GW
fi
if [ -n "$ETH0_IP6" ]
then
setup_interface_ipv6 "0" $ETH0_IP6 $ETH0_IP6_PRELEN
rm -rf /etc/radvd.conf
setup_radvd "0" $ETH0_IP6 $ETH0_IP6_PRELEN true
elif [ -n "$GUEST_GW6" -a -n "$GUEST_CIDR6_SIZE" ]
then
rm -rf /etc/radvd.conf
setup_radvd "0" $GUEST_GW6 $GUEST_CIDR6_SIZE false
fi
setup_interface "1" $ETH1_IP $ETH1_MASK $GW
if [ -n "$ETH2_IP" ]
then
setup_interface "2" $ETH2_IP $ETH2_MASK $GW
fi
if [ -n "$ETH2_IP6" ]
then
setup_interface_ipv6 "2" $ETH2_IP6 $ETH2_IP6_PRELEN
fi
setup_ipv6
echo $NAME > /etc/hostname
echo 'AVAHI_DAEMON_DETECT_LOCAL=0' > /etc/default/avahi-daemon
@ -370,6 +399,24 @@ setup_common() {
fi
}
enable_radvd() {
systemctl -q is-enabled radvd
status=$?
if [ $status -ne 0 ]
then
log_it "Enabling radvd"
systemctl enable radvd
echo "radvd" >> /var/cache/cloud/enabled_svcs
fi
systemctl -q is-active radvd
status=$?
if [ $status -ne 0 ]
then
log_it "Starting radvd"
systemctl start radvd
fi
}
setup_radvd() {
log_it "Setting up radvd"
@ -394,8 +441,7 @@ setup_radvd() {
sed -i "s,{{ RDNSS_CONFIG }},$RDNSS_CFG,g" /etc/radvd.conf.$intf
cat /etc/radvd.conf.$intf >> /etc/radvd.conf
if [ "$enable" = true ] ; then
systemctl enable radvd
echo "radvd" >> /var/cache/cloud/enabled_svcs
enable_radvd
fi
}

1
systemvm/debian/opt/cloud/bin/setup/router.sh
View File

@ -71,6 +71,7 @@ setup_router() {
enable_fwding 1
enable_rpsrfs 1
enable_passive_ftp 1
restore_ipv6
# Only allow DNS service for current network
sed -i "s/-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT/-A INPUT -i eth0 -p udp -m udp --dport 53 -s $DHCP_RANGE\/$CIDR_SIZE -j ACCEPT/g" /etc/iptables/rules.v4