def main(command, phys_dev_name):
ovs_ofctl = lambda *rule: execute('/usr/bin/ovs-ofctl', *rule)
bridge_name = \
execute_get_output('/usr/bin/ovs-vsctl', 'iface-to-br', phys_dev_name)
# always clear all flows first
ovs_ofctl('del-flows', bridge_name)
if command in ('online', 'reset'):
pnic_ofport = execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', phys_dev_name, 'ofport')
# these flows are lower priority than all VM-specific flows.
# allow all traffic from the physical NIC, as it is trusted (i.e.,
# from a filtered vif, or from the physical infrastructure)
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=%s,actions=normal" % pnic_ofport)
# Allow traffic from dom0 if there is a management interface
# present (its IP address is on the bridge itself)
bridge_addr = \
execute_get_output('/sbin/ip', '-o', '-f', 'inet', 'addr', 'show',
bridge_name)
if bridge_addr != '':
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=LOCAL,actions=normal")
# default drop
ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop')
def main(command, phys_dev_name):
ovs_ofctl = lambda *rule: execute('/usr/bin/ovs-ofctl', *rule)
bridge_name = \
execute_get_output('/usr/bin/ovs-vsctl', 'iface-to-br', phys_dev_name)
# always clear all flows first
ovs_ofctl('del-flows', bridge_name)
if command in ('online', 'reset'):
pnic_ofport = execute_get_output('/usr/bin/ovs-vsctl', 'get',
'Interface', phys_dev_name, 'ofport')
# these flows are lower priority than all VM-specific flows.
# allow all traffic from the physical NIC, as it is trusted (i.e.,
# from a filtered vif, or from the physical infrastructure)
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=%s,actions=normal" % pnic_ofport)
# Allow traffic from dom0 if there is a management interface
# present (its IP address is on the bridge itself)
bridge_addr = \
execute_get_output('/sbin/ip', '-o', '-f', 'inet', 'addr', 'show',
bridge_name)
if bridge_addr != '':
ovs_ofctl('add-flow', bridge_name,
"priority=2,in_port=LOCAL,actions=normal")
# default drop
ovs_ofctl('add-flow', bridge_name, 'priority=1,actions=drop')
def apply_iptables_rules(command, params):
iptables = lambda *rule: execute('/sbin/iptables', *rule)
iptables('-D', 'FORWARD', '-m', 'physdev', '--physdev-in', params['VIF'],
'-s', params['IP'], '-j', 'ACCEPT')
if command == 'online':
iptables('-A', 'FORWARD', '-m', 'physdev', '--physdev-in',
params['VIF'], '-s', params['IP'], '-j', 'ACCEPT')
def apply_iptables_rules(command, params):
iptables = lambda *rule: execute('/sbin/iptables', *rule)
iptables('-D', 'FORWARD', '-m', 'physdev',
'--physdev-in', params['VIF'],
'-s', params['IP'],
'-j', 'ACCEPT')
if command == 'online':
iptables('-A', 'FORWARD', '-m', 'physdev',
'--physdev-in', params['VIF'],
'-s', params['IP'],
'-j', 'ACCEPT')
def apply_arptables_rules(command, params):
arptables = lambda *rule: execute('/sbin/arptables', *rule)
arptables('-D', 'FORWARD', '--opcode', 'Request', '--in-interface',
params['VIF'], '--source-ip', params['IP'], '--source-mac',
params['MAC'], '-j', 'ACCEPT')
arptables('-D', 'FORWARD', '--opcode', 'Reply', '--in-interface',
params['VIF'], '--source-ip', params['IP'], '--source-mac',
params['MAC'], '-j', 'ACCEPT')
if command == 'online':
arptables('-A', 'FORWARD', '--opcode', 'Request', '--in-interface',
params['VIF'], '--source-mac', params['MAC'], '-j', 'ACCEPT')
arptables('-A', 'FORWARD', '--opcode', 'Reply', '--in-interface',
params['VIF'], '--source-ip', params['IP'], '--source-mac',
params['MAC'], '-j', 'ACCEPT')
def apply_ebtables_rules(command, params):
ebtables = lambda *rule: execute("/sbin/ebtables", *rule)
ebtables('-D', 'FORWARD', '-p', '0806', '-o', params['VIF'],
'--arp-ip-dst', params['IP'], '-j', 'ACCEPT')
ebtables('-D', 'FORWARD', '-p', '0800', '-o', params['VIF'], '--ip-dst',
params['IP'], '-j', 'ACCEPT')
if command == 'online':
ebtables('-A', 'FORWARD', '-p', '0806', '-o', params['VIF'],
'--arp-ip-dst', params['IP'], '-j', 'ACCEPT')
ebtables('-A', 'FORWARD', '-p', '0800', '-o', params['VIF'],
'--ip-dst', params['IP'], '-j', 'ACCEPT')
ebtables('-D', 'FORWARD', '-s', '!', params['MAC'], '-i', params['VIF'],
'-j', 'DROP')
if command == 'online':
ebtables('-I', 'FORWARD', '1', '-s', '!', params['MAC'], '-i',
params['VIF'], '-j', 'DROP')
def apply_arptables_rules(command, params):
arptables = lambda *rule: execute('/sbin/arptables', *rule)
arptables('-D', 'FORWARD', '--opcode', 'Request',
'--in-interface', params['VIF'],
'--source-ip', params['IP'],
'--source-mac', params['MAC'],
'-j', 'ACCEPT')
arptables('-D', 'FORWARD', '--opcode', 'Reply',
'--in-interface', params['VIF'],
'--source-ip', params['IP'],
'--source-mac', params['MAC'],
'-j', 'ACCEPT')
if command == 'online':
arptables('-A', 'FORWARD', '--opcode', 'Request',
'--in-interface', params['VIF'],
'--source-mac', params['MAC'],
'-j', 'ACCEPT')
arptables('-A', 'FORWARD', '--opcode', 'Reply',
'--in-interface', params['VIF'],
'--source-ip', params['IP'],
'--source-mac', params['MAC'],
'-j', 'ACCEPT')
def apply_ebtables_rules(command, params):
ebtables = lambda *rule: execute("/sbin/ebtables", *rule)
ebtables('-D', 'FORWARD', '-p', '0806', '-o', params['VIF'],
'--arp-ip-dst', params['IP'],
'-j', 'ACCEPT')
ebtables('-D', 'FORWARD', '-p', '0800', '-o', params['VIF'],
'--ip-dst', params['IP'],
'-j', 'ACCEPT')
if command == 'online':
ebtables('-A', 'FORWARD', '-p', '0806',
'-o', params['VIF'],
'--arp-ip-dst', params['IP'],
'-j', 'ACCEPT')
ebtables('-A', 'FORWARD', '-p', '0800',
'-o', params['VIF'],
'--ip-dst', params['IP'],
'-j', 'ACCEPT')
ebtables('-D', 'FORWARD', '-s', '!', params['MAC'],
'-i', params['VIF'], '-j', 'DROP')
if command == 'online':
ebtables('-I', 'FORWARD', '1', '-s', '!', params['MAC'],
'-i', params['VIF'], '-j', 'DROP')
def clear_flows(self, ofport):
execute(OVS_OFCTL, 'del-flows', self.bridge, "in_port=%s" % ofport)
def add(self, rule):
execute(OVS_OFCTL, 'add-flow', self.bridge, rule % self.params)
def clear_flows(self, ofport):
execute(OVS_OFCTL, 'del-flows', self.bridge, "in_port=%s" % ofport)
def add(self, rule):
execute(OVS_OFCTL, 'add-flow', self.bridge, rule % self.params)