def snoop_delete_iptables_chain(is_igmp, table, chain):
#Flush and delete the IGMP/MLD snoop chain when snooping disabled globally.
ret = True
res = []
if is_igmp:
cmd = ('iptables -t ' + table + ' -F ' + chain).split()
if (mcast_utils.run_command(cmd, res) != 0): ret = False
cmd = ('iptables -t ' + table + ' -X ' + chain).split()
if (mcast_utils.run_command(cmd, res) != 0): ret = False
else:
cmd = ('ip6tables -t ' + table + ' -F ' + chain).split()
if (mcast_utils.run_command(cmd, res) != 0): ret = False
cmd = ('ip6tables -t ' + table + ' -X ' + chain).split()
if (mcast_utils.run_command(cmd, res) != 0): ret = False
return ret
def snoop_create_iptables_chain(is_igmp, table, chain):
#Create chain and add rules, when snooping is enabled globally.
ret = True
res = []
if is_igmp:
rule_prefix = 'iptables -t ' + table
cmd = (rule_prefix + ' -N ' + chain).split()
chain_rules = igmp_add_rules
else:
rule_prefix = 'ip6tables -t ' + table
cmd = (rule_prefix + ' -N ' + chain).split()
chain_rules = mld_add_rules
mcast_utils.run_command(cmd, res)
for rule in chain_rules:
cmd = (rule_prefix + ' -C ' + rule).split()
if (mcast_utils.run_command(cmd, res) != 0):
cmd = (rule_prefix + ' -A ' + rule).split()
if (mcast_utils.run_command(cmd, res) != 0): ret = False
return ret
def remove_ebtables_rules(table, chain, rules):
ret = True
res = read_ebtable_rules(table, chain)
ebtable_prefix = 'ebtables -t ' + table
for rule in rules:
if rule in res:
cmd = (ebtable_prefix + ' -D ' + chain + rule).split()
if (mcast_utils.run_command(cmd, res) != 0):
ret = False
mcast_utils.log_err("Failed to DELETE : %s " % (rule))
else:
mcast_utils.log_info("Succesfully DELETED : %s " % (rule))
return ret
def snoop_remove_rule_chain(is_igmp):
ret = True
res = []
mcast_utils.log_info('Remove %s chain' %
(IGMP_CHAIN_NAME if is_igmp else MLD_CHAIN_NAME))
if is_igmp:
rule_prefix = 'iptables -t raw '
cmd = (rule_prefix + ' -C ' + igmp_preroute_rule).split()
if (mcast_utils.run_command(cmd, res) == 0):
cmd = (rule_prefix + ' -D ' + igmp_preroute_rule).split()
if (mcast_utils.run_command(cmd, res) != 0): ret = ret and False
ret = ret and snoop_delete_iptables_chain(is_igmp, 'raw',
IGMP_CHAIN_NAME)
mcast_utils.log_info(
'Remove %s chain ret = %d' %
(IGMP_CHAIN_NAME if is_igmp else MLD_CHAIN_NAME, ret))
#Delete EBTABLES nat POSTROUTING IGMP rules
ret = remove_ebtables_rules(' nat ', ' POSTROUTING ',
igmp_global_ebtable_rule)
if ret is False:
mcast_utils.log_err(
'Failed to Delete EBTABLE IGMP rules from nat POSTROUTING chain'
)
return ret
ret = snoop_bridge_nf_iptables_disable(is_igmp)
if ret is False:
mcast_utils.log_err('Failed to disable bridge_nf_call_iptables')
return ret
else:
rule_prefix = 'ip6tables -t raw '
cmd = (rule_prefix + ' -C ' + mld_preroute_rule).split()
if (mcast_utils.run_command(cmd, res) == 0):
cmd = (rule_prefix + ' -D ' + mld_preroute_rule).split()
if (mcast_utils.run_command(cmd, res) != 0): ret = ret and False
ret = ret and snoop_delete_iptables_chain(is_igmp, 'raw',
MLD_CHAIN_NAME)
mcast_utils.log_info(
'Remove %s chain ret = %d' %
(IGMP_CHAIN_NAME if is_igmp else MLD_CHAIN_NAME, ret))
#Delete EBTABLES nat POSTROUTING IGMP rules
ret = remove_ebtables_rules(' nat ', ' POSTROUTING ',
mld_global_ebtable_rule)
if ret is False:
mcast_utils.log_err(
'Failed to Delete EBTABLE MLD rules from nat POSTROUTING chain'
)
return ret
ret = snoop_bridge_nf_iptables_disable(is_igmp)
if ret is False:
mcast_utils.log_err('Failed to disable bridge_nf_call_ip6tables')
return ret
mcast_utils.log_info(
'All %s global Ebtables/Iptables rules removed with ret = %d' %
('IGMP' if is_igmp else 'MLD', ret))
return ret
def snoop_add_rule_chain(is_igmp):
ret = True
res = []
mcast_utils.log_debug('Create chain: %d' % (is_igmp))
#EBTABLES:
#For each snoop disabled VLAN's, received IGMP/MLD packets are marked
#and dropped in iptables raw table IGMPSNOOP/MLDSNOOP chain.
# Here:
#1. Create IGMPSNOOP/MLDSNOOP chain in iptables raw table to check the
# IGMP/MLD packet types and drop all the iGMP/MLD packets other than query
# for enabled VLANs. For enabled VLAN's snoop application will decide what
# to do with the packet.
#2. Create a Rule in iptables raw table PREROUTING chain to catch
# marked (snooping enabled VLAN's) IGMP/MLD packets and redirect to
# IGMPSNOOOP/MLDSNOOP chain
if is_igmp:
ret = snoop_create_iptables_chain(is_igmp, 'raw', IGMP_CHAIN_NAME)
if ret is False:
mcast_utils.log_err(
'Failed to create/add iptables rules to %s chain' %
(IGMP_CHAIN_NAME))
return ret
# Add PREROUTING rule
rule_prefix = 'iptables -t raw '
cmd = (rule_prefix + ' -C ' + igmp_preroute_rule).split()
if (mcast_utils.run_command(cmd, res) != 0):
cmd = (rule_prefix + ' -A ' + igmp_preroute_rule).split()
if (mcast_utils.run_command(cmd, res) != 0): ret = ret and False
if ret is False:
mcast_utils.log_err(
'Failed to add iptables rules to PREROUTING chain')
return ret
#Add EBTABLES nat POSTROUTING IGMP rules
ret = add_ebtable_rules(' nat ', ' POSTROUTING ',
igmp_global_ebtable_rule)
if ret is False:
mcast_utils.log_err(
'Failed to add IGMP EBTABLE rules to nat POSTROUTING chain')
return ret
ret = snoop_bridge_nf_iptables_enable(is_igmp)
if ret is False:
mcast_utils.log_err('Failed to enable bridge_nf_call_iptables')
return ret
else:
ret = snoop_create_iptables_chain(is_igmp, 'raw', MLD_CHAIN_NAME)
if ret is False:
mcast_utils.log_err(
'Failed to create/add ip6tables rules to %s chain' %
(MLD_CHAIN_NAME))
return ret
# Add PREROUTING rule
rule_prefix = 'ip6tables -t raw '
cmd = (rule_prefix + ' -C ' + mld_preroute_rule).split()
if (mcast_utils.run_command(cmd, res) != 0):
cmd = (rule_prefix + ' -A ' + mld_preroute_rule).split()
if (mcast_utils.run_command(cmd, res) != 0): ret = ret and False
if ret is False:
mcast_utils.log_err(
'Failed to add ip6tables rules to PREROUTING chain')
return ret
mcast_utils.log_debug('%s chain created and rules added succesfully' %
(IGMP_CHAIN_NAME if is_igmp else MLD_CHAIN_NAME))
#Add EBTABLES nat POSTROUTING MLD rules
ret = add_ebtable_rules(' nat ', ' POSTROUTING ',
mld_global_ebtable_rule)
if ret is False:
mcast_utils.log_err(
'Failed to add MLD EBTABLE rules to nat POSTROUTING chain')
return ret
ret = snoop_bridge_nf_iptables_enable(is_igmp)
if ret is False:
mcast_utils.log_err('Failed to enable bridge_nf_call_ip6tables')
return ret
mcast_utils.log_info(
'All %s global Ebtables/Iptables created and rules added succesfully' %
('IGMP' if is_igmp else 'MLD'))
return ret
def read_ebtable_rules(table, chain):
cmd = ('ebtables -t ' + table + ' -L ' + chain).split()
res = []
mcast_utils.run_command(cmd, res)
mcast_utils.log_debug("ebtable dump: %s" % (res))
return res
