def snoop_delete_iptables_chain(is_igmp, table, chain): #Flush and delete the IGMP/MLD snoop chain when snooping disabled globally. ret = True res = [] if is_igmp: cmd = ('iptables -t ' + table + ' -F ' + chain).split() if (mcast_utils.run_command(cmd, res) != 0): ret = False cmd = ('iptables -t ' + table + ' -X ' + chain).split() if (mcast_utils.run_command(cmd, res) != 0): ret = False else: cmd = ('ip6tables -t ' + table + ' -F ' + chain).split() if (mcast_utils.run_command(cmd, res) != 0): ret = False cmd = ('ip6tables -t ' + table + ' -X ' + chain).split() if (mcast_utils.run_command(cmd, res) != 0): ret = False return ret
def snoop_create_iptables_chain(is_igmp, table, chain): #Create chain and add rules, when snooping is enabled globally. ret = True res = [] if is_igmp: rule_prefix = 'iptables -t ' + table cmd = (rule_prefix + ' -N ' + chain).split() chain_rules = igmp_add_rules else: rule_prefix = 'ip6tables -t ' + table cmd = (rule_prefix + ' -N ' + chain).split() chain_rules = mld_add_rules mcast_utils.run_command(cmd, res) for rule in chain_rules: cmd = (rule_prefix + ' -C ' + rule).split() if (mcast_utils.run_command(cmd, res) != 0): cmd = (rule_prefix + ' -A ' + rule).split() if (mcast_utils.run_command(cmd, res) != 0): ret = False return ret
def remove_ebtables_rules(table, chain, rules): ret = True res = read_ebtable_rules(table, chain) ebtable_prefix = 'ebtables -t ' + table for rule in rules: if rule in res: cmd = (ebtable_prefix + ' -D ' + chain + rule).split() if (mcast_utils.run_command(cmd, res) != 0): ret = False mcast_utils.log_err("Failed to DELETE : %s " % (rule)) else: mcast_utils.log_info("Succesfully DELETED : %s " % (rule)) return ret
def snoop_remove_rule_chain(is_igmp): ret = True res = [] mcast_utils.log_info('Remove %s chain' % (IGMP_CHAIN_NAME if is_igmp else MLD_CHAIN_NAME)) if is_igmp: rule_prefix = 'iptables -t raw ' cmd = (rule_prefix + ' -C ' + igmp_preroute_rule).split() if (mcast_utils.run_command(cmd, res) == 0): cmd = (rule_prefix + ' -D ' + igmp_preroute_rule).split() if (mcast_utils.run_command(cmd, res) != 0): ret = ret and False ret = ret and snoop_delete_iptables_chain(is_igmp, 'raw', IGMP_CHAIN_NAME) mcast_utils.log_info( 'Remove %s chain ret = %d' % (IGMP_CHAIN_NAME if is_igmp else MLD_CHAIN_NAME, ret)) #Delete EBTABLES nat POSTROUTING IGMP rules ret = remove_ebtables_rules(' nat ', ' POSTROUTING ', igmp_global_ebtable_rule) if ret is False: mcast_utils.log_err( 'Failed to Delete EBTABLE IGMP rules from nat POSTROUTING chain' ) return ret ret = snoop_bridge_nf_iptables_disable(is_igmp) if ret is False: mcast_utils.log_err('Failed to disable bridge_nf_call_iptables') return ret else: rule_prefix = 'ip6tables -t raw ' cmd = (rule_prefix + ' -C ' + mld_preroute_rule).split() if (mcast_utils.run_command(cmd, res) == 0): cmd = (rule_prefix + ' -D ' + mld_preroute_rule).split() if (mcast_utils.run_command(cmd, res) != 0): ret = ret and False ret = ret and snoop_delete_iptables_chain(is_igmp, 'raw', MLD_CHAIN_NAME) mcast_utils.log_info( 'Remove %s chain ret = %d' % (IGMP_CHAIN_NAME if is_igmp else MLD_CHAIN_NAME, ret)) #Delete EBTABLES nat POSTROUTING IGMP rules ret = remove_ebtables_rules(' nat ', ' POSTROUTING ', mld_global_ebtable_rule) if ret is False: mcast_utils.log_err( 'Failed to Delete EBTABLE MLD rules from nat POSTROUTING chain' ) return ret ret = snoop_bridge_nf_iptables_disable(is_igmp) if ret is False: mcast_utils.log_err('Failed to disable bridge_nf_call_ip6tables') return ret mcast_utils.log_info( 'All %s global Ebtables/Iptables rules removed with ret = %d' % ('IGMP' if is_igmp else 'MLD', ret)) return ret
def snoop_add_rule_chain(is_igmp): ret = True res = [] mcast_utils.log_debug('Create chain: %d' % (is_igmp)) #EBTABLES: #For each snoop disabled VLAN's, received IGMP/MLD packets are marked #and dropped in iptables raw table IGMPSNOOP/MLDSNOOP chain. # Here: #1. Create IGMPSNOOP/MLDSNOOP chain in iptables raw table to check the # IGMP/MLD packet types and drop all the iGMP/MLD packets other than query # for enabled VLANs. For enabled VLAN's snoop application will decide what # to do with the packet. #2. Create a Rule in iptables raw table PREROUTING chain to catch # marked (snooping enabled VLAN's) IGMP/MLD packets and redirect to # IGMPSNOOOP/MLDSNOOP chain if is_igmp: ret = snoop_create_iptables_chain(is_igmp, 'raw', IGMP_CHAIN_NAME) if ret is False: mcast_utils.log_err( 'Failed to create/add iptables rules to %s chain' % (IGMP_CHAIN_NAME)) return ret # Add PREROUTING rule rule_prefix = 'iptables -t raw ' cmd = (rule_prefix + ' -C ' + igmp_preroute_rule).split() if (mcast_utils.run_command(cmd, res) != 0): cmd = (rule_prefix + ' -A ' + igmp_preroute_rule).split() if (mcast_utils.run_command(cmd, res) != 0): ret = ret and False if ret is False: mcast_utils.log_err( 'Failed to add iptables rules to PREROUTING chain') return ret #Add EBTABLES nat POSTROUTING IGMP rules ret = add_ebtable_rules(' nat ', ' POSTROUTING ', igmp_global_ebtable_rule) if ret is False: mcast_utils.log_err( 'Failed to add IGMP EBTABLE rules to nat POSTROUTING chain') return ret ret = snoop_bridge_nf_iptables_enable(is_igmp) if ret is False: mcast_utils.log_err('Failed to enable bridge_nf_call_iptables') return ret else: ret = snoop_create_iptables_chain(is_igmp, 'raw', MLD_CHAIN_NAME) if ret is False: mcast_utils.log_err( 'Failed to create/add ip6tables rules to %s chain' % (MLD_CHAIN_NAME)) return ret # Add PREROUTING rule rule_prefix = 'ip6tables -t raw ' cmd = (rule_prefix + ' -C ' + mld_preroute_rule).split() if (mcast_utils.run_command(cmd, res) != 0): cmd = (rule_prefix + ' -A ' + mld_preroute_rule).split() if (mcast_utils.run_command(cmd, res) != 0): ret = ret and False if ret is False: mcast_utils.log_err( 'Failed to add ip6tables rules to PREROUTING chain') return ret mcast_utils.log_debug('%s chain created and rules added succesfully' % (IGMP_CHAIN_NAME if is_igmp else MLD_CHAIN_NAME)) #Add EBTABLES nat POSTROUTING MLD rules ret = add_ebtable_rules(' nat ', ' POSTROUTING ', mld_global_ebtable_rule) if ret is False: mcast_utils.log_err( 'Failed to add MLD EBTABLE rules to nat POSTROUTING chain') return ret ret = snoop_bridge_nf_iptables_enable(is_igmp) if ret is False: mcast_utils.log_err('Failed to enable bridge_nf_call_ip6tables') return ret mcast_utils.log_info( 'All %s global Ebtables/Iptables created and rules added succesfully' % ('IGMP' if is_igmp else 'MLD')) return ret
def read_ebtable_rules(table, chain): cmd = ('ebtables -t ' + table + ' -L ' + chain).split() res = [] mcast_utils.run_command(cmd, res) mcast_utils.log_debug("ebtable dump: %s" % (res)) return res