[mirror_lxc.git] / src / lxc / lxc.net

#!/bin/sh
set -eu

USE_LXC_BRIDGE="true"
LXC_BRIDGE="lxcbr0"
LXC_ADDR="10.0.3.1"
LXC_NETMASK="255.255.255.0"
LXC_NETWORK="10.0.3.0/24"
LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
LXC_DHCP_MAX="253"
LXC_DHCP_CONFILE=""
varrun="/run/lxc"
LXC_DOMAIN=""

start() {
	[ -f /etc/default/lxc ] && . /etc/default/lxc

	[ "x$USE_LXC_BRIDGE" = "xtrue" ] || { stop; exit 0; }

	use_iptables_lock="-w"
	iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
	cleanup() {
		# dnsmasq failed to start, clean up the bridge
		iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
		iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
		iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
		iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
		iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
		iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
		iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
		iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
		ifconfig ${LXC_BRIDGE} down || true
		brctl delbr ${LXC_BRIDGE} || true
	}

	if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
		if [ ! -f ${varrun}/network_up ]; then
			# bridge exists, but we didn't start it
			stop;
		fi
		exit 0;
	fi

	# set up the lxc network
	brctl addbr ${LXC_BRIDGE} || { echo "Missing bridge support in kernel"; stop; exit 0; }
	echo 1 > /proc/sys/net/ipv4/ip_forward
	mkdir -p ${varrun}
	ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
	iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
	iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
	iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
	iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill

	LXC_DOMAIN_ARG=""
	if [ -n "$LXC_DOMAIN" ]; then
		LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
	fi
	DNSMASQ_USER="lxc-dnsmasq"
	if ! getent passwd ${DNSMASQ_USER} >/dev/null; then
		DNSMASQ_USER="dnsmasq"
	fi
	dnsmasq $LXC_DOMAIN_ARG -u ${DNSMASQ_USER} --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative || cleanup
	touch ${varrun}/network_up
}

stop() {
	[ -f /etc/default/lxc ] && . /etc/default/lxc
	[ -f "${varrun}/network_up" ] || exit 0;
	# if $LXC_BRIDGE has attached interfaces, don't shut it down
	ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0;

	if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
		use_iptables_lock="-w"
		iptables -w -L -n > /dev/null 2>&1 || use_iptables_lock=""
		ifconfig ${LXC_BRIDGE} down
		iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
		iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
		iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
		iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
		iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
		iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
		iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE || true
		iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
		pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill -9 $pid || true
		rm -f ${varrun}/dnsmasq.pid
		brctl delbr ${LXC_BRIDGE}
	fi
	rm -f ${varrun}/network_up
}

if [ "$1" = start ]; then
	start
elif [ "$1" = stop ]; then
	stop
else
	echo "Usage: $0 start|stop" >&2
	exit 1
fi
Commit	Line	Data
2ed77621 MP	1	#!/bin/sh
	2	set -eu
	3
	4	USE_LXC_BRIDGE="true"
	5	LXC_BRIDGE="lxcbr0"
	6	LXC_ADDR="10.0.3.1"
	7	LXC_NETMASK="255.255.255.0"
	8	LXC_NETWORK="10.0.3.0/24"
	9	LXC_DHCP_RANGE="10.0.3.2,10.0.3.254"
	10	LXC_DHCP_MAX="253"
	11	LXC_DHCP_CONFILE=""
	12	varrun="/run/lxc"
	13	LXC_DOMAIN=""
	14
	15	start() {
	16	[ -f /etc/default/lxc ] && . /etc/default/lxc
	17
	18	[ "x$USE_LXC_BRIDGE" = "xtrue" ] \|\| { stop; exit 0; }
	19
	20	use_iptables_lock="-w"
	21	iptables -w -L -n > /dev/null 2>&1 \|\| use_iptables_lock=""
	22	cleanup() {
	23	# dnsmasq failed to start, clean up the bridge
	24	iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
	25	iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
	26	iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
	27	iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
	28	iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
	29	iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
	30	iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE \|\| true
	31	iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
	32	ifconfig ${LXC_BRIDGE} down \|\| true
	33	brctl delbr ${LXC_BRIDGE} \|\| true
	34	}
	35
	36	if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
	37	if [ ! -f ${varrun}/network_up ]; then
	38	# bridge exists, but we didn't start it
	39	stop;
	40	fi
	41	exit 0;
	42	fi
	43
	44	# set up the lxc network
	45	brctl addbr ${LXC_BRIDGE} \|\| { echo "Missing bridge support in kernel"; stop; exit 0; }
	46	echo 1 > /proc/sys/net/ipv4/ip_forward
	47	mkdir -p ${varrun}
	48	ifconfig ${LXC_BRIDGE} ${LXC_ADDR} netmask ${LXC_NETMASK} up
	49	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
	50	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
	51	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
	52	iptables $use_iptables_lock -I INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
	53	iptables $use_iptables_lock -I FORWARD -i ${LXC_BRIDGE} -j ACCEPT
	54	iptables $use_iptables_lock -I FORWARD -o ${LXC_BRIDGE} -j ACCEPT
	55	iptables $use_iptables_lock -t nat -A POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE
	56	iptables $use_iptables_lock -t mangle -A POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
	57
	58	LXC_DOMAIN_ARG=""
	59	if [ -n "$LXC_DOMAIN" ]; then
	60	LXC_DOMAIN_ARG="-s $LXC_DOMAIN -S /$LXC_DOMAIN/"
	61	fi
1c1bb85a ÇO	62	DNSMASQ_USER="lxc-dnsmasq"
	63	if ! getent passwd ${DNSMASQ_USER} >/dev/null; then
	64	DNSMASQ_USER="dnsmasq"
	65	fi
	66	dnsmasq $LXC_DOMAIN_ARG -u ${DNSMASQ_USER} --strict-order --bind-interfaces --pid-file=${varrun}/dnsmasq.pid --conf-file=${LXC_DHCP_CONFILE} --listen-address ${LXC_ADDR} --dhcp-range ${LXC_DHCP_RANGE} --dhcp-lease-max=${LXC_DHCP_MAX} --dhcp-no-override --except-interface=lo --interface=${LXC_BRIDGE} --dhcp-leasefile=/var/lib/misc/dnsmasq.${LXC_BRIDGE}.leases --dhcp-authoritative \|\| cleanup
2ed77621 MP	67	touch ${varrun}/network_up
	68	}
	69
	70	stop() {
	71	[ -f /etc/default/lxc ] && . /etc/default/lxc
	72	[ -f "${varrun}/network_up" ] \|\| exit 0;
	73	# if $LXC_BRIDGE has attached interfaces, don't shut it down
	74	ls /sys/class/net/${LXC_BRIDGE}/brif/* > /dev/null 2>&1 && exit 0;
	75
	76	if [ -d /sys/class/net/${LXC_BRIDGE} ]; then
	77	use_iptables_lock="-w"
	78	iptables -w -L -n > /dev/null 2>&1 \|\| use_iptables_lock=""
	79	ifconfig ${LXC_BRIDGE} down
	80	iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 67 -j ACCEPT
	81	iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 67 -j ACCEPT
	82	iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p udp --dport 53 -j ACCEPT
	83	iptables $use_iptables_lock -D INPUT -i ${LXC_BRIDGE} -p tcp --dport 53 -j ACCEPT
	84	iptables $use_iptables_lock -D FORWARD -i ${LXC_BRIDGE} -j ACCEPT
	85	iptables $use_iptables_lock -D FORWARD -o ${LXC_BRIDGE} -j ACCEPT
	86	iptables $use_iptables_lock -t nat -D POSTROUTING -s ${LXC_NETWORK} ! -d ${LXC_NETWORK} -j MASQUERADE \|\| true
	87	iptables $use_iptables_lock -t mangle -D POSTROUTING -o ${LXC_BRIDGE} -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
	88	pid=`cat ${varrun}/dnsmasq.pid 2>/dev/null` && kill -9 $pid \|\| true
	89	rm -f ${varrun}/dnsmasq.pid
	90	brctl delbr ${LXC_BRIDGE}
	91	fi
	92	rm -f ${varrun}/network_up
	93	}
	94
	95	if [ "$1" = start ]; then
	96	start
	97	elif [ "$1" = stop ]; then
	98	stop
	99	else
	100	echo "Usage: $0 start\|stop" >&2
	101	exit 1
	102	fi
	103