def main(command, phys_dev_name):
ovs_ofctl = lambda *rule: execute('/usr/bin/ovs-ofctl', *rule)
bridge_name = \
execute_get_output('/usr/bin/ovs-vsctl', 'iface-to-br', phys_dev_name)
# always clear all flows first
ovs_ofctl('del-flows', bridge_name)
if command in ('online', 'reset'):
pnic_ofport = execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', phys_dev_name, 'ofport')
# these flows are lower priority than all VM-specific flows.
# allow all traffic from the physical NIC, as it is trusted (i.e.,
# from a filtered vif, or from the physical infrastructure)
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=%s,actions=normal" % pnic_ofport)
# Allow traffic from dom0 if there is a management interface
# present (its IP address is on the bridge itself)
bridge_addr = \
execute_get_output('/sbin/ip', '-o', '-f', 'inet', 'addr', 'show',
bridge_name)
if bridge_addr != '':
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=LOCAL,actions=normal")
# default drop
ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop')
def main(command, phys_dev_name):
ovs_ofctl = lambda *rule: execute('/usr/bin/ovs-ofctl', *rule)
bridge_name = \
execute_get_output('/usr/bin/ovs-vsctl', 'iface-to-br', phys_dev_name)
# always clear all flows first
ovs_ofctl('del-flows', bridge_name)
if command in ('online', 'reset'):
pnic_ofport = execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', phys_dev_name, 'ofport')
# these flows are lower priority than all VM-specific flows.
# allow all traffic from the physical NIC, as it is trusted (i.e.,
# from a filtered vif, or from the physical infrastructure)
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=%s,actions=normal" % pnic_ofport)
# Allow traffic from dom0 if there is a management interface
# present (its IP address is on the bridge itself)
bridge_addr = \
execute_get_output('/sbin/ip', '-o', '-f', 'inet', 'addr', 'show',
bridge_name)
if bridge_addr != '':
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=LOCAL,actions=normal")
# default drop
ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop')
def main(command, vif_raw, net_type):
if command not in ('online', 'offline'):
return
vif_name, dom_id, vif_index = vif_raw.split('-')
vif = "%s%s.%s" % (vif_name, dom_id, vif_index)
bridge = execute_get_output('/usr/bin/ovs-vsctl', 'iface-to-br', vif)
xsls = execute_get_output('/usr/bin/xenstore-ls',
'/local/domain/%s/vm-data/networking' % dom_id)
macs = [line.split("=")[0].strip() for line in xsls.splitlines()]
for mac in macs:
xsread = execute_get_output(
'/usr/bin/xenstore-read',
'/local/domain/%s/vm-data/networking/%s' % (dom_id, mac))
data = json.loads(xsread)
if data["label"] == "public":
this_vif = "vif%s.0" % dom_id
phys_dev = "eth0"
else:
this_vif = "vif%s.1" % dom_id
phys_dev = "eth1"
if vif == this_vif:
vif_ofport = execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', vif, 'ofport')
phys_ofport = execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', phys_dev, 'ofport')
params = dict(VIF_NAME=vif,
MAC=data['mac'],
OF_PORT=vif_ofport,
PHYS_PORT=phys_ofport)
ovs = OvsFlow(bridge, params)
if command == 'offline':
# I haven't found a way to clear only IPv4 or IPv6 rules.
ovs.clear_flows(vif_ofport)
if command == 'online':
if net_type in ('ipv4', 'all') and 'ips' in data:
for ip4 in data['ips']:
ovs.params.update({'IPV4_ADDR': ip4['ip']})
apply_ovs_ipv4_flows(ovs, bridge, params)
if net_type in ('ipv6', 'all') and 'ip6s' in data:
for ip6 in data['ip6s']:
link_local = str(netaddr.EUI(data['mac']).eui64()\
.ipv6_link_local())
ovs.params.update({'IPV6_LINK_LOCAL_ADDR': link_local})
ovs.params.update({'IPV6_GLOBAL_ADDR': ip6['ip']})
apply_ovs_ipv6_flows(ovs, bridge, params)
def main(command, vif_raw, net_type):
if command not in ('online', 'offline'):
return
vif_name, dom_id, vif_index = vif_raw.split('-')
vif = "%s%s.%s" % (vif_name, dom_id, vif_index)
bridge = execute_get_output('/usr/bin/ovs-vsctl', 'iface-to-br', vif)
xsls = execute_get_output('/usr/bin/xenstore-ls',
'/local/domain/%s/vm-data/networking' % dom_id)
macs = [line.split("=")[0].strip() for line in xsls.splitlines()]
for mac in macs:
xsread = execute_get_output('/usr/bin/xenstore-read',
'/local/domain/%s/vm-data/networking/%s' %
(dom_id, mac))
data = json.loads(xsread)
if data["label"] == "public":
this_vif = "vif%s.0" % dom_id
phys_dev = "eth0"
else:
this_vif = "vif%s.1" % dom_id
phys_dev = "eth1"
if vif == this_vif:
vif_ofport = execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', vif, 'ofport')
phys_ofport = execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', phys_dev, 'ofport')
params = dict(VIF_NAME=vif,
MAC=data['mac'],
OF_PORT=vif_ofport,
PHYS_PORT=phys_ofport)
ovs = OvsFlow(bridge, params)
if command == 'offline':
# I haven't found a way to clear only IPv4 or IPv6 rules.
ovs.clear_flows(vif_ofport)
if command == 'online':
if net_type in ('ipv4', 'all') and 'ips' in data:
for ip4 in data['ips']:
ovs.params.update({'IPV4_ADDR': ip4['ip']})
apply_ovs_ipv4_flows(ovs, bridge, params)
if net_type in ('ipv6', 'all') and 'ip6s' in data:
for ip6 in data['ip6s']:
link_local = str(netaddr.EUI(data['mac']).eui64()\
.ipv6_link_local())
ovs.params.update({'IPV6_LINK_LOCAL_ADDR': link_local})
ovs.params.update({'IPV6_GLOBAL_ADDR': ip6['ip']})
apply_ovs_ipv6_flows(ovs, bridge, params)
def main(dom_id, command, only_this_vif=None):
xsls = execute_get_output('/usr/bin/xenstore-ls',
'/local/domain/%s/vm-data/networking' % dom_id)
macs = [line.split("=")[0].strip() for line in xsls.splitlines()]
for mac in macs:
xsread = execute_get_output(
'/usr/bin/xenstore-read',
'/local/domain/%s/vm-data/networking/%s' % (dom_id, mac))
data = json.loads(xsread)
for ip in data['ips']:
if data["label"] == "public":
vif = "vif%s.0" % dom_id
else:
vif = "vif%s.1" % dom_id
if (only_this_vif is None) or (vif == only_this_vif):
params = dict(IP=ip['ip'], VIF=vif, MAC=data['mac'])
apply_ebtables_rules(command, params)
apply_arptables_rules(command, params)
apply_iptables_rules(command, params)
def main(dom_id, command, only_this_vif=None):
xsls = execute_get_output('/usr/bin/xenstore-ls',
'/local/domain/%s/vm-data/networking' % dom_id)
macs = [line.split("=")[0].strip() for line in xsls.splitlines()]
for mac in macs:
xsread = execute_get_output('/usr/bin/xenstore-read',
'/local/domain/%s/vm-data/networking/%s' %
(dom_id, mac))
data = json.loads(xsread)
for ip in data['ips']:
if data["label"] == "public":
vif = "vif%s.0" % dom_id
else:
vif = "vif%s.1" % dom_id
if (only_this_vif is None) or (vif == only_this_vif):
params = dict(IP=ip['ip'], VIF=vif, MAC=data['mac'])
apply_ebtables_rules(command, params)
apply_arptables_rules(command, params)
apply_iptables_rules(command, params)
