def Ii111(lisp_thread):
lisp.lisp_set_exception()
if (lisp.lisp_myrlocs[0] == None): return
if 67 - 67: O0
oOOo000oOoO0 = "lo0" if lisp.lisp_is_macos() else "any"
if 52 - 52: II111iiii.ooOoO0o / OoOoOO00 / OoooooooOO.i11iIiiIii
I1i1i = pcappy.open_live(oOOo000oOoO0, 9000, 0, 100)
if 86 - 86: Oo0Ooo / oO0o + O0 * iII111i
iiI11I1i1i1iI = "(dst host "
OoOOo000o0 = ""
for oO0OOoO0 in lisp.lisp_get_all_addresses():
iiI11I1i1i1iI += "{} or ".format(oO0OOoO0)
OoOOo000o0 += "{} or ".format(oO0OOoO0)
if 12 - 12: II111iiii.I11i / OOooOOo
iiI11I1i1i1iI = iiI11I1i1i1iI[0:-4]
iiI11I1i1i1iI += ") and ((udp dst port 4341 or 8472 or 4789) or "
iiI11I1i1i1iI += "(proto 17 and (ip[6]&0xe0 == 0x20 or " + "(ip[6]&0xe0 == 0 and ip[7] != 0))))"
if 77 - 77: ooOoO0o - I1IiiI % I11i - O0
if 67 - 67: OOooOOo + Oo0Ooo
if 84 - 84: O0 * OoooooooOO - IiII * IiII
if 8 - 8: ooOoO0o / i1IIi.oO0o
if 41 - 41: iII111i + OoO0O00
if 86 - 86: OoOoOO00.iIii1I11I1II1 - OoO0O00
OoOOo000o0 = OoOOo000o0[0:-4]
iiI11I1i1i1iI += (
" or (not (src host {}) and " +
"((udp src port 4342 and ip[28] == 0x28) or " +
"(udp dst port 4342 and ip[28] == 0x12)))").format(OoOOo000o0)
if 56 - 56: O0
if 61 - 61: o0oOOo0O0Ooo / OOooOOo / Oo0Ooo * O0
if 23 - 23: oO0o - OOooOOo + I11i
lisp.lprint("Capturing packets for: '{}'".format(iiI11I1i1i1iI))
I1i1i.filter = iiI11I1i1i1iI
if 12 - 12: I1IiiI / ooOoO0o % o0oOOo0O0Ooo / i11iIiiIii % OoooooooOO
if 15 - 15: iIii1I11I1II1 % OoooooooOO - Oo0Ooo * Ii1I + I11i
if 11 - 11: iII111i * Ii1I - OoOoOO00
if 66 - 66:
OoOoOO00.i11iIiiIii - iII111i * o0oOOo0O0Ooo + OoooooooOO * I1ii11iIi11i
I1i1i.loop(-1, Oo, [oOOo000oOoO0, lisp_thread])
return
if 74 - 74: Oo0Ooo
if 61 - 61:
Oo0Ooo - I1Ii111 * II111iiii % ooOoO0o * iIii1I11I1II1 + OoO0O00
if 71 - 71: I11i / I11i * oO0o * oO0o / II111iiii
if 35 - 35: OOooOOo * o0oOOo0O0Ooo * I1IiiI % Oo0Ooo.OoOoOO00
if 58 - 58: I11i + II111iiii * iII111i * i11iIiiIii - iIii1I11I1II1
if 68 - 68: OoooooooOO % II111iiii
if 26 - 26:
II111iiii % i11iIiiIii % iIii1I11I1II1 % I11i * I11i * I1ii11iIi11i
def lisp_rtr_pcap_thread(lisp_thread):
lisp.lisp_set_exception()
if (lisp.lisp_myrlocs[0] == None): return
device = "lo0" if lisp.lisp_is_macos() else "any"
pcap = pcappy.open_live(device, 9000, 0, 100)
#
# If "lisp-nat = yes" is configured, then a PETR is co-located with this
# RTR functionality. We need to pcap *all* packets (0.0.0.0/0 and 0::/0).
#
lisp_nat = commands.getoutput("egrep 'lisp-nat = yes' ./lisp.config")
lisp_nat = (lisp_nat != "" and lisp_nat[0] == " ")
pfilter = "(dst host "
afilter = ""
for addr in lisp.lisp_get_all_addresses():
pfilter += "{} or ".format(addr)
afilter += "{} or ".format(addr)
#endif
pfilter = pfilter[0:-4]
pfilter += ") and ((udp dst port 4341 or 8472 or 4789) or "
pfilter += "(proto 17 and (ip[6]&0xe0 == 0x20 or " + \
"(ip[6]&0xe0 == 0 and ip[7] != 0))))"
#
# For RLOC-probe messages that come via pcap interface so we have the
# IP header to grab the TTL.
#
afilter = afilter[0:-4]
pfilter += (" or (not (src host {}) and " + \
"((udp src port 4342 and ip[28] == 0x28) or " + \
"(udp dst port 4342 and ip[28] == 0x12)))").format(afilter)
if (lisp_nat):
pfilter += " or (dst net 0.0.0.0/0 and not (host {}))".format(afilter)
#endif
lisp.lprint("Capturing packets for: '{}'".format(pfilter))
pcap.filter = pfilter
#
# Enter receive loop.
#
pcap.loop(-1, lisp_rtr_pcap_process_packet, [device, lisp_thread])
return
def oo0OOo0O(lisp_thread):
lisp.lisp_set_exception()
if (lisp.lisp_myrlocs[0] == None): return
if 39 - 39: OoooooooOO + oO0o % OOooOOo / OOooOOo
Ii1ii111i1 = "lo0" if lisp.lisp_is_macos() else "any"
if 27 - 27: iII111i.I11i.iIii1I11I1II1.iIii1I11I1II1
iIi1i = pcappy.open_live(Ii1ii111i1, 9000, 0, 100)
if 4 - 4: I1Ii111 / i11iIiiIii / OOooOOo
OooO0ooo0o = "(dst host "
iii1 = ""
for oO0OOoO0 in lisp.lisp_get_all_addresses():
OooO0ooo0o += "{} or ".format(oO0OOoO0)
iii1 += "{} or ".format(oO0OOoO0)
if 32 - 32: Ii1I.IiII.OoooooooOO - OoO0O00 + oO0o
OooO0ooo0o = OooO0ooo0o[0:-4]
OooO0ooo0o += ") and ((udp dst port 4341 or 8472 or 4789) or "
OooO0ooo0o += "(proto 17 and (ip[6]&0xe0 == 0x20 or " + "(ip[6]&0xe0 == 0 and ip[7] != 0))))"
if 88 - 88: iII111i
if 19 - 19: II111iiii * IiII + Ii1I
if 65 - 65: OOooOOo.I1Ii111.OoO0O00.iII111i - OOooOOo
if 19 - 19: i11iIiiIii + iII111i % ooOoO0o
if 14 - 14: OoO0O00.II111iiii.I11i / Ii1I % I1ii11iIi11i - ooOoO0o
if 67 - 67: I11i - OOooOOo.i1IIi
iii1 = iii1[0:-4]
OooO0ooo0o += (" or (not (src host {}) and " +
"((udp src port 4342 and ip[28] == 0x28) or " +
"(udp dst port 4342 and ip[28] == 0x12)))").format(iii1)
if 35 - 35: iII111i + ooOoO0o - oO0o.iII111i.IiII
if 87 - 87: OoOoOO00
if 25 - 25: i1IIi.OoO0O00 - OoOoOO00 / OoO0O00 % OoO0O00 * iIii1I11I1II1
lisp.lprint("Capturing packets for: '{}'".format(OooO0ooo0o))
iIi1i.filter = OooO0ooo0o
if 50 - 50: OoO0O00.i11iIiiIii - oO0o.oO0o
if 31 - 31: OOooOOo / Oo0Ooo * i1IIi.OoOoOO00
if 57 - 57: OOooOOo + iIii1I11I1II1 % i1IIi % I1IiiI
if 83 - 83:
o0oOOo0O0Ooo / i11iIiiIii % iIii1I11I1II1.I11i % oO0o.OoooooooOO
iIi1i.loop(-1, OoO, [Ii1ii111i1, lisp_thread])
return
if 94 - 94: Ii1I + iIii1I11I1II1 % OoO0O00
if 93 - 93: Ii1I - OOooOOo + iIii1I11I1II1 * o0oOOo0O0Ooo + I1Ii111.iII111i
if 49 - 49: OoooooooOO * I11i - Oo0Ooo.oO0o
if 89 - 89: ooOoO0o + Ii1I * ooOoO0o / ooOoO0o
if 46 - 46: OoO0O00
if 71 - 71: I11i / I11i * oO0o * oO0o / II111iiii
if 35 - 35: OOooOOo * o0oOOo0O0Ooo * I1IiiI % Oo0Ooo.OoOoOO00
def I1iIII1(lisp_thread):
lisp.lisp_set_exception()
if (lisp.lisp_myrlocs[0] == None): return
if 39 - 39: OoooooooOO
OOOOoO000 = "lo0" if lisp.lisp_is_macos() else "any"
if 38 - 38: I1IiiI
oOo0OoOOo0 = pcappy.open_live(OOOOoO000, 9000, 0, 100)
if 30 - 30: I1ii11iIi11i % I1IiiI
O0Oo00 = "(dst host "
ii1IiIIi1i = ""
for oO0OOoO0 in lisp.lisp_get_all_addresses():
O0Oo00 += "{} or ".format(oO0OOoO0)
ii1IiIIi1i += "{} or ".format(oO0OOoO0)
if 54 - 54: ooOoO0o
O0Oo00 = O0Oo00[0:-4]
O0Oo00 += ") and ((udp dst port 4341 or 8472 or 4789) or "
O0Oo00 += "(proto 17 and (ip[6]&0xe0 == 0x20 or " + "(ip[6]&0xe0 == 0 and ip[7] != 0))))"
if 67 - 67: OOooOOo.Oo0Ooo + OoOoOO00 - OoooooooOO
if 70 - 70: OOooOOo / II111iiii - iIii1I11I1II1 - iII111i
if 11 - 11: iIii1I11I1II1.OoooooooOO.II111iiii / i1IIi - I11i
if 30 - 30: OoOoOO00
if 21 - 21: i11iIiiIii / I1Ii111 % OOooOOo * O0.I11i - iIii1I11I1II1
if 26 - 26: II111iiii * OoOoOO00
ii1IiIIi1i = ii1IiIIi1i[0:-4]
O0Oo00 += (" or (not (src host {}) and " +
"((udp src port 4342 and ip[28] == 0x28) or " +
"(udp dst port 4342 and ip[28] == 0x12)))").format(ii1IiIIi1i)
if 10 - 10: II111iiii.iII111i
if 32 - 32: Ii1I.IiII.OoooooooOO - OoO0O00 + oO0o
if 88 - 88: iII111i
lisp.lprint("Capturing packets for: '{}'".format(O0Oo00))
oOo0OoOOo0.filter = O0Oo00
if 19 - 19: II111iiii * IiII + Ii1I
if 65 - 65: OOooOOo.I1Ii111.OoO0O00.iII111i - OOooOOo
if 19 - 19: i11iIiiIii + iII111i % ooOoO0o
if 14 - 14: OoO0O00.II111iiii.I11i / Ii1I % I1ii11iIi11i - ooOoO0o
oOo0OoOOo0.loop(-1, OO0, [OOOOoO000, lisp_thread])
return
if 67 - 67: I11i - OOooOOo.i1IIi
if 35 - 35: iII111i + ooOoO0o - oO0o.iII111i.IiII
if 87 - 87: OoOoOO00
if 25 - 25: i1IIi.OoO0O00 - OoOoOO00 / OoO0O00 % OoO0O00 * iIii1I11I1II1
if 50 - 50: OoO0O00.i11iIiiIii - oO0o.oO0o
if 31 - 31: OOooOOo / Oo0Ooo * i1IIi.OoOoOO00
if 57 - 57: OOooOOo + iIii1I11I1II1 % i1IIi % I1IiiI
def lisp_rtr_pcap_thread(lisp_thread):
lisp.lisp_set_exception()
if (lisp.lisp_myrlocs[0] == None): return
device = "lo0" if lisp.lisp_is_macos() else "any"
pcap = pcappy.open_live(device, 9000, 0, 100)
pfilter = "(dst host "
afilter = ""
for addr in lisp.lisp_get_all_addresses():
pfilter += "{} or ".format(addr)
afilter += "{} or ".format(addr)
#endif
pfilter = pfilter[0:-4]
pfilter += ") and ((udp dst port 4341 or 8472 or 4789) or "
pfilter += "(proto 17 and (ip[6]&0xe0 == 0x20 or " + \
"(ip[6]&0xe0 == 0 and ip[7] != 0))))"
#
# For RLOC-probe messages that come via pcap interface so we have the
# IP header to grab the TTL.
#
afilter = afilter[0:-4]
pfilter += (" or (not (src host {}) and " + \
"((udp src port 4342 and ip[28] == 0x28) or " + \
"(udp dst port 4342 and ip[28] == 0x12)))").format(afilter)
lisp.lprint("Capturing packets for: '{}'".format(pfilter))
pcap.filter = pfilter
#
# Enter receive loop.
#
pcap.loop(-1, lisp_rtr_pcap_process_packet, [device, lisp_thread])
return
def lisp_itr_kernel_filter(sources, dyn_eids):
if (os.getenv("LISP_NO_IPTABLES") != None):
lisp.lprint("User selected to suppress installing iptables rules")
return
#endif
os.system("sudo iptables -t raw -N lisp")
os.system("sudo iptables -t raw -A PREROUTING -j lisp")
os.system("sudo ip6tables -t raw -N lisp")
os.system("sudo ip6tables -t raw -A PREROUTING -j lisp")
#
# Have kernel process packets for local addresses when sourced from site
# EIDs. We do not want the lisp-itr process to process such packets.
# We want the kernel to deliver packets to and from local applications.
# And we want the kernel to forward decapsulated packets out interfaces
# leading the EIDs.
#
add = "sudo ip{}tables -t raw -A lisp -j ACCEPT -d {}"
addr_set = ["127.0.0.1", "::1", "224.0.0.0/4 -p igmp", "ff00::/8",
"fe80::/16"]
addr_set += sources + lisp.lisp_get_all_addresses()
for addr in addr_set:
if (lisp.lisp_is_mac_string(addr)): continue
six = "" if addr.find(":") == -1 else "6"
os.system(add.format(six, addr))
#endfor
#
# When source and destination addresses are EIDs for this LISP site,
# we want the kernel to do local routing. But as a PITR, we don't want
# the kernel to route everything (EID-prefix 0.0.0.0/0) or we can't have
# this process encapsulate for any source address to a destination EID.
#
if (lisp.lisp_pitr == False):
add = "sudo ip{}tables -t raw -A lisp -j ACCEPT -s {} -d {}"
check = "sudo ip{}tables -t raw -C lisp -j ACCEPT -s {} -d {}"
for source in sources:
if (lisp.lisp_is_mac_string(source)): continue
if (source in dyn_eids): continue
six = "" if source.find(":") == -1 else "6"
for s in sources:
if (lisp.lisp_is_mac_string(s)): continue
if (s in dyn_eids): continue
if (s.find(".") != -1 and source.find(".") == -1): continue
if (s.find(":") != -1 and source.find(":") == -1): continue
if (commands.getoutput(check.format(six, source, s)) == ""):
continue
#endif
os.system(add.format(six, source, s))
#endfor
#endfor
#endif
#
# Now put in drop rules for each "lisp database-mapping" EID-prefix.
#
drop = "sudo ip{}tables -t raw -A lisp -j DROP -s {}"
for source in sources:
if (lisp.lisp_is_mac_string(source)): continue
six = "" if source.find(":") == -1 else "6"
os.system(drop.format(six, source))
#endif
#
# Print out rules we just configured.
#
rules = commands.getoutput("sudo iptables -t raw -S lisp").split("\n")
rules += commands.getoutput("sudo ip6tables -t raw -S lisp").split("\n")
lisp.lprint("Using kernel filters: {}".format(rules))
#
# Check if we need to put in a iptables rule workaround for the virtio TCP
# checksum corruption problem for KVM guest OSes. Check environmnt
# variable LISP_VIRTIO_BUG.
#
# Note a debian host system that runs docker will need the following
# command so ip6tables works inside of the docker container:
#
# sudo modprobe ip6table_filter
#
if (os.getenv("LISP_VIRTIO_BUG") != None):
c = ("sudo iptables -A POSTROUTING -t mangle -p tcp -j " + \
"CHECKSUM --checksum-fill; ")
c += ("sudo iptables -A POSTROUTING -t mangle -p udp -j " + \
"CHECKSUM --checksum-fill; ")
c += ("sudo ip6tables -A POSTROUTING -t mangle -p tcp -j " + \
"CHECKSUM --checksum-fill; ")
c += ("sudo ip6tables -A POSTROUTING -t mangle -p udp -j " + \
"CHECKSUM --checksum-fill")
os.system(c)
virtio = lisp.bold("virtio", False)
lisp.lprint("{} bug workaround, configure '{}'".format(virtio, c))
#endif
return
def lisp_itr_build_pcap_filter(sources, dyn_eids, l2_overlay, pitr):
if (l2_overlay):
pfilter = "ether[6:4] >= 0 and ether[10:2] >= 0"
lisp.lprint("Using pcap filter: '{}'".format(pfilter))
return(pfilter)
#endif
ether_pfilter = "(not ether proto 0x806)"
probe_pfilter = " or (udp src port 4342 and ip[28] == 0x28)"
decent_pfilter = \
" or (ip[16] >= 224 and ip[16] < 240 and (ip[28] & 0xf0) == 0x30)"
src_pfilter = ""
dst_pfilter = ""
for source in sources:
insert_source = source
if (lisp.lisp_is_mac_string(source)):
insert_source = source.split("/")[0]
insert_source = insert_source.replace("-", "")
mac_str = []
for i in range(0, 12, 2): mac_str.append(insert_source[i:i+2])
insert_source = "ether host " + ":".join(mac_str)
#endif
src_pfilter += "{}".format(insert_source)
if (source not in dyn_eids): dst_pfilter += "{}".format(insert_source)
if (sources[-1] == source): break
src_pfilter += " or "
if (source not in dyn_eids): dst_pfilter += " or "
#endfor
if (dst_pfilter[-4::] == " or "): dst_pfilter = dst_pfilter[0:-4]
#
# If "lisp-nat = yes" is configured, then we are a PETR and we need
# to accept packets for local EIDs (assigned to loopback interfaces).
# So allow the first one to be accepted.
#
lisp_nat = commands.getoutput("egrep 'lisp-nat = yes' ./lisp.config")
lisp_nat = (lisp_nat != "" and lisp_nat[0] == " ")
loopback = lisp.lisp_get_loopback_address() if (lisp_nat) else None
addr_pfilter = ""
addresses = lisp.lisp_get_all_addresses()
for addr in addresses:
if (addr == loopback): continue
addr_pfilter += "{}".format(addr)
if (addresses[-1] == addr): break
addr_pfilter += " or "
#endif
if (src_pfilter != ""):
src_pfilter = " and (src net {})".format(src_pfilter)
#endif
if (dst_pfilter != ""):
dst_pfilter = " and not (dst net {})".format(dst_pfilter)
#endif
if (addr_pfilter != ""):
addr_pfilter = " and not (dst host {})".format(addr_pfilter)
#endif
#
# A PITR wants to see packets from anywhere so it can encap to possible
# LISP sites. But we want the kernel to route and consume for RLOCs for
# this system.
#
if (pitr):
dst_pfilter = ""
addr_pfilter = addr_pfilter.replace("dst ", "")
#endif
#
# Concatenate all the filters.
#
pfilter = ether_pfilter + src_pfilter + dst_pfilter + addr_pfilter
pfilter += probe_pfilter
pfilter += decent_pfilter
lisp.lprint("Using pcap filter: '{}'".format(pfilter))
return(pfilter)
