def main(command, phys_dev_name):
ovs_ofctl = lambda *rule: novalib.execute('/usr/bin/ovs-ofctl', *rule)
bridge_name = novalib.execute_get_output('/usr/bin/ovs-vsctl',
'iface-to-br', phys_dev_name)
# always clear all flows first
ovs_ofctl('del-flows', bridge_name)
if command in ('online', 'reset'):
pnic_ofport = novalib.execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', phys_dev_name,
'ofport')
# these flows are lower priority than all VM-specific flows.
# allow all traffic from the physical NIC, as it is trusted (i.e.,
# from a filtered vif, or from the physical infrastructure)
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=%s,actions=normal" % pnic_ofport)
# Allow traffic from dom0 if there is a management interface
# present (its IP address is on the bridge itself)
bridge_addr = novalib.execute_get_output('/sbin/ip', '-o', '-f',
'inet', 'addr', 'show',
bridge_name)
if bridge_addr != '':
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=LOCAL,actions=normal")
# default drop
ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop')
def main(command, phys_dev_name):
ovs_ofctl = lambda *rule: novalib.execute('/usr/bin/ovs-ofctl', *rule)
bridge_name = novalib.execute_get_output('/usr/bin/ovs-vsctl',
'iface-to-br', phys_dev_name)
# always clear all flows first
ovs_ofctl('del-flows', bridge_name)
if command in ('online', 'reset'):
pnic_ofport = novalib.execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', phys_dev_name, 'ofport')
# these flows are lower priority than all VM-specific flows.
# allow all traffic from the physical NIC, as it is trusted (i.e.,
# from a filtered vif, or from the physical infrastructure)
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=%s,actions=normal" % pnic_ofport)
# Allow traffic from dom0 if there is a management interface
# present (its IP address is on the bridge itself)
bridge_addr = novalib.execute_get_output('/sbin/ip', '-o', '-f',
'inet', 'addr', 'show',
bridge_name)
if bridge_addr != '':
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=LOCAL,actions=normal")
# default drop
ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop')
def main(command, vif_raw, net_type):
if command not in ('online', 'offline'):
return
vif_name, dom_id, vif_index = vif_raw.split('-')
vif = "%s%s.%s" % (vif_name, dom_id, vif_index)
bridge = novalib.execute_get_output('/usr/bin/ovs-vsctl', 'iface-to-br',
vif)
xsls = novalib.execute_get_output(
'/usr/bin/xenstore-ls', '/local/domain/%s/vm-data/networking' % dom_id)
macs = [line.split("=")[0].strip() for line in xsls.splitlines()]
for mac in macs:
xsread = novalib.execute_get_output(
'/usr/bin/xenstore-read',
'/local/domain/%s/vm-data/networking/%s' % (dom_id, mac))
data = json.loads(xsread)
if data["label"] == "public":
this_vif = "vif%s.0" % dom_id
phys_dev = "eth0"
else:
this_vif = "vif%s.1" % dom_id
phys_dev = "eth1"
if vif == this_vif:
vif_ofport = novalib.execute_get_output('/usr/bin/ovs-vsctl',
'get', 'Interface', vif,
'ofport')
phys_ofport = novalib.execute_get_output('/usr/bin/ovs-vsctl',
'get', 'Interface',
phys_dev, 'ofport')
params = dict(VIF_NAME=vif,
MAC=data['mac'],
OF_PORT=vif_ofport,
PHYS_PORT=phys_ofport)
ovs = OvsFlow(bridge, params)
if command == 'offline':
# I haven't found a way to clear only IPv4 or IPv6 rules.
ovs.clear_flows(vif_ofport)
if command == 'online':
if net_type in ('ipv4', 'all') and 'ips' in data:
for ip4 in data['ips']:
ovs.params.update({'IPV4_ADDR': ip4['ip']})
apply_ovs_ipv4_flows(ovs, bridge, params)
if net_type in ('ipv6', 'all') and 'ip6s' in data:
for ip6 in data['ip6s']:
mac_eui64 = netaddr.EUI(data['mac']).eui64()
link_local = str(mac_eui64.ipv6_link_local())
ovs.params.update({'IPV6_LINK_LOCAL_ADDR': link_local})
ovs.params.update({'IPV6_GLOBAL_ADDR': ip6['ip']})
apply_ovs_ipv6_flows(ovs, bridge, params)
def main(command, vif_raw, net_type):
if command not in ('online', 'offline'):
return
vif_name, dom_id, vif_index = vif_raw.split('-')
vif = "%s%s.%s" % (vif_name, dom_id, vif_index)
bridge = novalib.execute_get_output('/usr/bin/ovs-vsctl',
'iface-to-br', vif)
xsls = novalib.execute_get_output('/usr/bin/xenstore-ls',
'/local/domain/%s/vm-data/networking' % dom_id)
macs = [line.split("=")[0].strip() for line in xsls.splitlines()]
for mac in macs:
xsread = novalib.execute_get_output('/usr/bin/xenstore-read',
'/local/domain/%s/vm-data/networking/%s' %
(dom_id, mac))
data = json.loads(xsread)
if data["label"] == "public":
this_vif = "vif%s.0" % dom_id
phys_dev = "eth0"
else:
this_vif = "vif%s.1" % dom_id
phys_dev = "eth1"
if vif == this_vif:
vif_ofport = novalib.execute_get_output('/usr/bin/ovs-vsctl',
'get', 'Interface', vif, 'ofport')
phys_ofport = novalib.execute_get_output('/usr/bin/ovs-vsctl',
'get', 'Interface', phys_dev, 'ofport')
params = dict(VIF_NAME=vif,
MAC=data['mac'],
OF_PORT=vif_ofport,
PHYS_PORT=phys_ofport)
ovs = OvsFlow(bridge, params)
if command == 'offline':
# I haven't found a way to clear only IPv4 or IPv6 rules.
ovs.clear_flows(vif_ofport)
if command == 'online':
if net_type in ('ipv4', 'all') and 'ips' in data:
for ip4 in data['ips']:
ovs.params.update({'IPV4_ADDR': ip4['ip']})
apply_ovs_ipv4_flows(ovs, bridge, params)
if net_type in ('ipv6', 'all') and 'ip6s' in data:
for ip6 in data['ip6s']:
mac_eui64 = netaddr.EUI(data['mac']).eui64()
link_local = str(mac_eui64.ipv6_link_local())
ovs.params.update({'IPV6_LINK_LOCAL_ADDR': link_local})
ovs.params.update({'IPV6_GLOBAL_ADDR': ip6['ip']})
apply_ovs_ipv6_flows(ovs, bridge, params)
def main(dom_id, command, only_this_vif=None):
xsls = novalib.execute_get_output('/usr/bin/xenstore-ls',
'/local/domain/{0!s}/vm-data/networking'.format(dom_id))
macs = [line.split("=")[0].strip() for line in xsls.splitlines()]
for mac in macs:
xsread = novalib.execute_get_output('/usr/bin/xenstore-read',
'/local/domain/{0!s}/vm-data/networking/{1!s}'.format(dom_id, mac))
data = json.loads(xsread)
for ip in data['ips']:
if data["label"] == "public":
vif = "vif{0!s}.0".format(dom_id)
else:
vif = "vif{0!s}.1".format(dom_id)
if (only_this_vif is None) or (vif == only_this_vif):
params = dict(IP=ip['ip'], VIF=vif, MAC=data['mac'])
apply_ebtables_rules(command, params)
apply_arptables_rules(command, params)
apply_iptables_rules(command, params)
def main(dom_id, command, only_this_vif=None):
xsls = novalib.execute_get_output("/usr/bin/xenstore-ls", "/local/domain/%s/vm-data/networking" % dom_id)
macs = [line.split("=")[0].strip() for line in xsls.splitlines()]
for mac in macs:
xsread = novalib.execute_get_output(
"/usr/bin/xenstore-read", "/local/domain/%s/vm-data/networking/%s" % (dom_id, mac)
)
data = json.loads(xsread)
for ip in data["ips"]:
if data["label"] == "public":
vif = "vif%s.0" % dom_id
else:
vif = "vif%s.1" % dom_id
if (only_this_vif is None) or (vif == only_this_vif):
params = dict(IP=ip["ip"], VIF=vif, MAC=data["mac"])
apply_ebtables_rules(command, params)
apply_arptables_rules(command, params)
apply_iptables_rules(command, params)
def main(command, vif_raw, net_type):
if command not in ("online", "offline"):
return
vif_name, dom_id, vif_index = vif_raw.split("-")
vif = "%s%s.%s" % (vif_name, dom_id, vif_index)
bridge = "xenbr%s" % vif_index
xsls = execute_get_output("/usr/bin/xenstore-ls", "/local/domain/%s/vm-data/networking" % dom_id)
macs = [line.split("=")[0].strip() for line in xsls.splitlines()]
for mac in macs:
xsread = execute_get_output("/usr/bin/xenstore-read", "/local/domain/%s/vm-data/networking/%s" % (dom_id, mac))
data = json.loads(xsread)
if data["label"] == "public":
this_vif = "vif%s.0" % dom_id
else:
this_vif = "vif%s.1" % dom_id
if vif == this_vif:
vif_ofport = execute_get_output("/usr/bin/ovs-vsctl", "get", "Interface", vif, "ofport")
params = dict(VIF_NAME=vif, MAC=data["mac"], OF_PORT=vif_ofport)
ovs = OvsFlow(bridge, params)
if command == "offline":
# I haven't found a way to clear only IPv4 or IPv6 rules.
ovs.clear_flows(vif_ofport)
if command == "online":
if net_type in ("ipv4", "all") and "ips" in data:
for ip4 in data["ips"]:
ovs.params.update({"IPV4_ADDR": ip4["ip"]})
apply_ovs_ipv4_flows(ovs, bridge, params)
if net_type in ("ipv6", "all") and "ip6s" in data:
for ip6 in data["ip6s"]:
link_local = str(netaddr.EUI(data["mac"]).eui64().ipv6_link_local())
ovs.params.update({"IPV6_LINK_LOCAL_ADDR": link_local})
ovs.params.update({"IPV6_GLOBAL_ADDR": ip6["ip"]})
apply_ovs_ipv6_flows(ovs, bridge, params)
def main(dom_id, command, only_this_vif=None):
xsls = novalib.execute_get_output(
'/usr/bin/xenstore-ls', '/local/domain/%s/vm-data/networking' % dom_id)
macs = [line.split("=")[0].strip() for line in xsls.splitlines()]
for mac in macs:
xsread = novalib.execute_get_output(
'/usr/bin/xenstore-read',
'/local/domain/%s/vm-data/networking/%s' % (dom_id, mac))
data = json.loads(xsread)
for ip in data['ips']:
if data["label"] == "public":
vif = "vif%s.0" % dom_id
else:
vif = "vif%s.1" % dom_id
if (only_this_vif is None) or (vif == only_this_vif):
params = dict(IP=ip['ip'], VIF=vif, MAC=data['mac'])
apply_ebtables_rules(command, params)
apply_arptables_rules(command, params)
apply_iptables_rules(command, params)
def main(command, phys_dev_name, bridge_name):
ovs_ofctl = lambda *rule: execute('/usr/bin/ovs-ofctl', *rule)
# always clear all flows first
ovs_ofctl('del-flows', bridge_name)
if command in ('online', 'reset'):
pnic_ofport = execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', phys_dev_name, 'ofport')
# these flows are lower priority than all VM-specific flows.
# allow all traffic from the physical NIC, as it is trusted (i.e.,
# from a filtered vif, or from the physical infrastructure)
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=%s,actions=normal" % pnic_ofport)
# default drop
ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop')
def main(command, phys_dev_name, bridge_name):
ovs_ofctl = lambda *rule: execute('/usr/bin/ovs-ofctl', *rule)
# always clear all flows first
ovs_ofctl('del-flows', bridge_name)
if command in ('online', 'reset'):
pnic_ofport = execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', phys_dev_name, 'ofport')
# these flows are lower priority than all VM-specific flows.
# allow all traffic from the physical NIC, as it is trusted (i.e.,
# from a filtered vif, or from the physical infrastructure)
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=%s,actions=normal" % pnic_ofport)
# default drop
ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop')