add ifupdown helper to setup MASQUERADE on veth device

diff --git a/README b/README
index 23c350f9a21d01fa27b63df1008ad453eb64f2e3..7fd313b08d69e500c9a5023a91f749fd4996a9e6 100644 (file)
--- a/README
+++ b/README
@@ -113,17 +113,14 @@ iface vmbr1 inet manual
       bridge_stp off
       bridge_fd 0
 
-# setup masqueraded bridge port vmbr1/pm1
+# setup masqueraded bridge port vmbr1/pm1 using pm0
+# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone) 
 auto pm1
 iface pm1 inet static
        address 10.10.10.1
        netmask 255.255.255.0
        VETH_BRIDGETO vmbr1
-       post-up   iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j CT --zone 1
-       post-up   iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j CT --zone 1
-       post-up   iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
-       post-down iptables -t nat -F POSTROUTING
-       post-down iptables -t raw -F PREROUTING
+       VETH_MASQUERADE pm0
 
 ...
 

diff --git a/debian/ifupdown.sh b/debian/ifupdown.sh
index b0ad90d5414dc69930947e8d970e32b7b6c8816e..e36c2b97e4e1722d2a17bc2c09075a2809778943 100755 (executable)
--- a/debian/ifupdown.sh
+++ b/debian/ifupdown.sh
@@ -12,14 +12,50 @@ then
 fi
 
 if [ "${MODE}" = "start" ]; then
-    test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1
-    ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1
-    ip link set "${IFACE}peer" up || exit 1
-    brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1
+    
+    case "$PHASE" in
+        pre-up)
+ 
+           test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1
+           ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1
+           ip link set "${IFACE}peer" up || exit 1
+           brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1
+           ;;
+
+        post-up)
+           test -n "${IF_VETH_MASQUERADE}" || exit 0
+           if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then 
+               iptables -t raw -A PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
+               iptables -t raw -A PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i  "${IF_VETH_BRIDGETO}" -j CT --zone 1
+               iptables -t nat -A POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o  "${IF_VETH_MASQUERADE}"  -j MASQUERADE
+           else
+               echo "unable to setup VETH_MASQUERADE - no address/network"
+               exit 0
+           fi
+           ;;
+    esac
+  
 elif [ "${MODE}" = "stop" ]; then
-    brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer"
-    ip link set "${IFACE}peer" down || exit 1
-    ip link del "${IFACE}" || exit 1
+
+    case "$PHASE" in
+        post-down)
+  
+           brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer"
+           ip link set "${IFACE}peer" down || exit 1
+           ip link del "${IFACE}" || exit 1
+           ;;
+
+        pre-down)
+           test -n "${IF_VETH_MASQUERADE}" || exit 0
+           if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then 
+               iptables -t raw -D PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
+               iptables -t raw -D PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i  "${IF_VETH_BRIDGETO}" -j CT --zone 1
+               iptables -t nat -D POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o  "${IF_VETH_MASQUERADE}"  -j MASQUERADE
+           fi
+           ;;
+
+    esac
+
 fi
 
 exit 0

diff --git a/debian/links b/debian/links
index 4a1cf60b37d6eb34f417f66afbedcefc491acb10..8c3a9a3a72905e7835b63c955e759cd05a708da9 100644 (file)
--- a/debian/links
+++ b/debian/links
@@ -1,2 +1,4 @@
+usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-up.d/pve-firewall
+usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-down.d/pve-firewall
 usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-pre-up.d/pve-firewall
 usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-post-down.d/pve-firewall