From: Dietmar Maurer Date: Mon, 10 Mar 2014 11:49:02 +0000 (+0100) Subject: add ifupdown helper to setup MASQUERADE on veth device X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=79f08c62c92c998e3904bab229444df2a2d6f522;ds=sidebyside add ifupdown helper to setup MASQUERADE on veth device --- diff --git a/README b/README index 23c350f..7fd313b 100644 --- a/README +++ b/README @@ -113,17 +113,14 @@ iface vmbr1 inet manual bridge_stp off bridge_fd 0 -# setup masqueraded bridge port vmbr1/pm1 +# setup masqueraded bridge port vmbr1/pm1 using pm0 +# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone) auto pm1 iface pm1 inet static address 10.10.10.1 netmask 255.255.255.0 VETH_BRIDGETO vmbr1 - post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j CT --zone 1 - post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j CT --zone 1 - post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE - post-down iptables -t nat -F POSTROUTING - post-down iptables -t raw -F PREROUTING + VETH_MASQUERADE pm0 ... diff --git a/debian/ifupdown.sh b/debian/ifupdown.sh index b0ad90d..e36c2b9 100755 --- a/debian/ifupdown.sh +++ b/debian/ifupdown.sh @@ -12,14 +12,50 @@ then fi if [ "${MODE}" = "start" ]; then - test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1 - ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1 - ip link set "${IFACE}peer" up || exit 1 - brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1 + + case "$PHASE" in + pre-up) + + test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1 + ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1 + ip link set "${IFACE}peer" up || exit 1 + brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1 + ;; + + post-up) + test -n "${IF_VETH_MASQUERADE}" || exit 0 + if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then + iptables -t raw -A PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1 + iptables -t raw -A PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1 + iptables -t nat -A POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o "${IF_VETH_MASQUERADE}" -j MASQUERADE + else + echo "unable to setup VETH_MASQUERADE - no address/network" + exit 0 + fi + ;; + esac + elif [ "${MODE}" = "stop" ]; then - brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer" - ip link set "${IFACE}peer" down || exit 1 - ip link del "${IFACE}" || exit 1 + + case "$PHASE" in + post-down) + + brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer" + ip link set "${IFACE}peer" down || exit 1 + ip link del "${IFACE}" || exit 1 + ;; + + pre-down) + test -n "${IF_VETH_MASQUERADE}" || exit 0 + if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then + iptables -t raw -D PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1 + iptables -t raw -D PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1 + iptables -t nat -D POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o "${IF_VETH_MASQUERADE}" -j MASQUERADE + fi + ;; + + esac + fi exit 0 diff --git a/debian/links b/debian/links index 4a1cf60..8c3a9a3 100644 --- a/debian/links +++ b/debian/links @@ -1,2 +1,4 @@ +usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-up.d/pve-firewall +usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-down.d/pve-firewall usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-pre-up.d/pve-firewall usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-post-down.d/pve-firewall